[Boost-bugs] [Boost C++ Libraries] #2735: Memory corruption

Subject: [Boost-bugs] [Boost C++ Libraries] #2735: Memory corruption
From: Boost C++ Libraries (noreply_at_[hidden])
Date: 2009-02-09 06:31:58

• Next message: Boost C++ Libraries: "[Boost-bugs] [Boost C++ Libraries] #2736: The "regex_replace" function's format string parameter can refer to at most 99 subexpressions."
• Previous message: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #2703: lagged_fibonacci_01::seed() bug"
• Next in thread: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #2735: Memory corruption"
• Reply: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #2735: Memory corruption"

#2735: Memory corruption
---------------------------------------+------------------------------------
 Reporter: Lono <KHaiFeng_at_[hidden]> | Owner: chris_kohlhoff
     Type: Bugs | Status: new
Milestone: To Be Determined | Component: asio
  Version: Boost 1.37.0 | Severity: Problem
 Keywords: |
---------------------------------------+------------------------------------
 A memory corruption caused by access to invalid pointer "overlapped" at
 function shutdown_service in win_iocp_io_service.hpp line 144

 The bug is caused by the return value of ::GetQueuedCompletionStatus is
 not checked. when the function return false, the value of "overlapped"
 will be invalid( not zero) and access to the pointer will cause memory
 corruption.

 I am sorry that I cannot give you a example to reproduce this bug (due to
 the company policy)
 You can reproduce this issue by calling ::ConnectNamedPipe and close the
 pipe immediately before any clients connect to the pipe.
 ::GetQueuedCompletionStatus will return "pending I/O operation is still in
 progress" and failed.

 This bug is very hard to find due to the corruption may corrupt other part
 of the code. If you don't want to fully support windows
 pipe(::ConnectNamedPipe is supported by Windows IOCP, but not by asio),
 that's fine. I know the problem is caused by my misuse of asio, but please
 do check the return value of windows API and avoid the memory corruption
 problem.

 Thank you.

 btw, please ingore "?" above.

 {{{
 void shutdown_service()
   {
     ::InterlockedExchange(&shutdown_, 1);

     while (::InterlockedExchangeAdd(&outstanding_operations_, 0) > 0)
     {
       DWORD bytes_transferred = 0;
 #if (WINVER < 0x0500)
       DWORD completion_key = 0;
 #else
       DWORD_PTR completion_key = 0;
 #endif
       LPOVERLAPPED overlapped = 0;
       ::GetQueuedCompletionStatus(iocp_.handle, &bytes_transferred,
           &completion_key, &overlapped, INFINITE);
       if (overlapped)
         static_cast<operation*>(overlapped)->destroy();
     }

     for (std::size_t i = 0; i < timer_queues_.size(); ++i)
       timer_queues_[i]->destroy_timers();
     timer_queues_.clear();
   }
 }}}

-- 
Ticket URL: <https://svn.boost.org/trac/boost/ticket/2735>
Boost C++ Libraries <http://www.boost.org/>
Boost provides free peer-reviewed portable C++ source libraries.

• Next message: Boost C++ Libraries: "[Boost-bugs] [Boost C++ Libraries] #2736: The "regex_replace" function's format string parameter can refer to at most 99 subexpressions."
• Previous message: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #2703: lagged_fibonacci_01::seed() bug"
• Next in thread: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #2735: Memory corruption"
• Reply: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #2735: Memory corruption"

This archive was generated by hypermail 2.1.7 : 2017-02-16 18:49:59 UTC