Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
If the C++ broker is sent ConnectionTuneOk more than once with heartbeat set, it creates that many timer tasks for the heartbeat. This will result in a case where a heartbeat task is triggered for a connection that has already been deleted.
Steps to reproduce:
1) Start broker:
MALLOC_MMAP_THRESHOLD_=8 qpidd
The MALLOC_MMAP_THRESHOLD_ is to catch the use-after-free immediately rather than having to depend on a heap corruption
2) Run the following python script:
import struct, time
from qpid.framing import OpEncoder, SegmentEncoder, FrameEncoder
from qpid.util import connect
from qpid.ops import *
def encode(op):
print "Sending:", op
op_enc = OpEncoder()
seg_enc = SegmentEncoder()
frame_enc = FrameEncoder()
op_enc.write(op)
seg_enc.write(*op_enc.read())
frame_enc.write(*seg_enc.read())
bytes = frame_enc.read()
print " bytes:", repr(bytes)
return bytes
conn = connect("127.0.0.1", 5672)
conn.send(struct.pack("!4s4B", "AMQP", 1, 1, 0, 10))
conn.send(encode(ConnectionTuneOk(heartbeat=1)))
conn.send(encode(ConnectionTuneOk(heartbeat=1)))
conn.send(encode(ConnectionOpen(virtual_host="vhost-blah",channel=0)))
time.sleep(3)