I think this is an out-of-bounds condition inside comm_kqueue.
Specifically, if kqoff == kqmax then kqoff is one past the array
of kevent entries (which is an array of size kqmax from 0 -> kqmax - 1).
I think this code could run off the end of the array.
Then kqoff(which is equal to kqmax) is submitted which tells kevent
there's kqoff entries to check; that checks 0 .. kqoff - 1 missing
the last one.
Please let me know if this long-winded analysis is wrong.
(I've taken the oppertunity to delete some unused code and silly
comments whilst I'm at it.)
Adrian
Index: comm_kqueue.cc
===================================================================
RCS file: /server/cvs-server/squid/squid3/src/comm_kqueue.cc,v
retrieving revision 1.12
diff -u -r1.12 comm_kqueue.cc
--- comm_kqueue.cc 2 Sep 2006 10:43:10 -0000 1.12
+++ comm_kqueue.cc 6 Nov 2006 11:24:06 -0000
@@ -100,11 +100,6 @@
PF *cur_handler;
int kep_flags;
-#if 0
-
- int retval;
-#endif
-
switch (filter) {
case EVFILT_READ:
@@ -136,10 +131,11 @@
EV_SET(kep, (uintptr_t) fd, filter, kep_flags, 0, 0, 0);
- if (kqoff == kqmax) {
+ /* Check if we've used the last one. If we have then submit them all */
+ if (kqoff == kqmax - 1) {
int ret;
- ret = kevent(kq, kqlst, kqoff, NULL, 0, &zero_timespec);
+ ret = kevent(kq, kqlst, kqmax, NULL, 0, &zero_timespec);
/* jdc -- someone needs to do error checking... */
if (ret == -1) {
@@ -151,18 +147,6 @@
} else {
kqoff++;
}
-
-#if 0
- if (retval < 0) {
- /* Error! */
-
- if (ke.flags & EV_ERROR) {
- errno = ke.data;
- }
- }
-
-#endif
-
}
}
@@ -249,12 +233,6 @@
struct timespec poll_time;
- /*
- * remember we are doing NANOseconds here, not micro/milli. God knows
- * why jlemon used a timespec, but hey, he wrote the interface, not I
- * -- Adrian
- */
-
if (msec > max_poll_time)
msec = max_poll_time;
Received on Mon Nov 06 2006 - 04:28:31 MST
This archive was generated by hypermail pre-2.1.9 : Wed Nov 29 2006 - 12:00:05 MST