Timothy J. Miller wrote:
This whole process looks to me like it's detecting a token change (removal), deleting the session, returning the wrong error code because of the function failed errors, and then launching us into the second slot_FreeSession call which is dereferencing a stale pointer.
Actually, I think there's no fewer than 4 bugs here:1) slot_TokenChanged is detecting a token change when none occurred, deleting the session prematurely;
2) slot_TokenChanged is either returning the wrong value or closeSessionLocked is looking for the wrong return value from slot_TokenChanged, causing the attempt to free the session twice;
3) session_FreeSession isn't cleaning up the session hash table correctly, leaving bad pointers in it instead of nulling them out;
4) session_FreeSession isn't looking for NULLs anyway.I'm going to delve into (1) and (2), but since I'm new to this code it will likely take some time. If anyone has any fixes in the meantime I would be greatly appreciative.
-- Tim
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle
