From 0448d8b8e63652ac5faefcc92482b4a20318cb39 Mon Sep 17 00:00:00 2001 From: raster Date: Mon, 13 Feb 2012 06:49:30 +0000 Subject: [PATCH] =?utf8?q?From:=20=EC=9C=A4=EC=A0=95=ED=98=84=20=20Subject:=20Re:=20[E-devel]=20[Patch]=20ecore=5F?= =?utf8?q?ipc=20-=20remove=20potential=20risk=20in=20ecore=5Fipc=5Fshutdow?= =?utf8?q?n?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit I found a problem this infinite loop case. If server is deleted, then ECORE_IPC_EVENT_SERVER_DEL callback function will be called in client side. It will happen infinite loop in ecore_ipc_shutdown if ecore_ipc_shutdown called in this ECORE_IPC_EVENT_SERVER_DEL callback function. For example, server_del_handler = ecore_event_handler_add(ECORE_IPC_EVENT_SERVER_DEL, _server_del_cb, NULL); static Eina_Bool _server_del_cb(void *data, int type, void *event) { ecore_ipc_shutdown(); return EINA_TRUE; } If server is deleted, 1. _ecore_ipc_event_server_del : svr->event_count++ 2. _server_del_cb : ecore_ipc_shutdown called 3. ecore_ipc_shutdown : while (servers) ecore_ipc_server_del(eina_list_data_get(servers)) 4. ecore_ipc_server_del : can't eina_list_remove(servers, svr) because event_count != 0 5. infinite loop I think this while code is very dangerous whether user miss or not. I modified EINA_LIST_FOREACH_SAFE instead of EINA_LIST_FOREACH refer to ecore_con. Please review this patch. git-svn-id: svn+ssh://svn.enlightenment.org/var/svn/e/trunk/ecore@67874 7cbeb6ba-43b4-40fd-8cce-4c39aea84d33 --- src/lib/ecore_ipc/ecore_ipc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/lib/ecore_ipc/ecore_ipc.c b/src/lib/ecore_ipc/ecore_ipc.c index e27134d..0210f1d 100644 --- a/src/lib/ecore_ipc/ecore_ipc.c +++ b/src/lib/ecore_ipc/ecore_ipc.c @@ -316,7 +316,10 @@ ecore_ipc_shutdown(void) if (--_ecore_ipc_init_count != 0) return _ecore_ipc_init_count; - while (servers) ecore_ipc_server_del(eina_list_data_get(servers)); + Eina_List *l, *l2; + Ecore_Ipc_Server *svr; + EINA_LIST_FOREACH_SAFE(servers, l, l2, svr) + ecore_ipc_server_del(svr); for (i = 0; i < 6; i++) ecore_event_handler_del(handler[i]); -- 2.7.4