lib: avoid crash when cancelling invalid rw job

There are some observed instances where we end up trying to cancel a rw job based on a file descriptor that we don't have a reference on. The specific cancel function for rw jobs assumes it's called with a file descriptor that is valid within pollfds and will cause a segmentation fault by buffer overrun if this is not the case. Instead log it and move on. Since the fd does not exist this should patch over the buggy behavior and provide additional information to help in finding the root cause. Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com> Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
2025-08-06 14:29:47 +00:00 · 2017-12-01 14:44:32 -05:00 · 2017-12-01 14:44:32 -05:00 · 42d745387a
commit 42d745387a
parent 23b6084b8c
1 changed files with 13 additions and 1 deletions
--- a/lib/thread.c
+++ b/lib/thread.c
@ -919,6 +919,8 @@ struct thread *funcname_thread_add_event(struct thread_master *m,
 */
 static void thread_cancel_rw(struct thread_master *master, int fd, short state)
 {
+	bool found = false;
+
 	/* Cancel POLLHUP too just in case some bozo set it */
 	state |= POLLHUP;

@ -926,8 +928,18 @@ static void thread_cancel_rw(struct thread_master *master, int fd, short state)
 	nfds_t i;

 	for (i = 0; i < master->handler.pfdcount; i++)
-		if (master->handler.pfds[i].fd == fd)
+		if (master->handler.pfds[i].fd == fd) {
+			found = true;
 			break;
+		}
+
+	if (!found) {
+		zlog_debug(
+			"[!] Received cancellation request for nonexistent rw job");
+		zlog_debug("[!] threadmaster: %s | fd: %d",
+			 master->name ? master->name : "", fd);
+		return;
+	}

 	/* NOT out event. */
 	master->handler.pfds[i].events &= ~(state);