diff options
author | Patrick Ohly <patrick.ohly@intel.com> | 2014-09-10 03:38:06 -0700 |
---|---|---|
committer | Patrick Ohly <patrick.ohly@intel.com> | 2014-09-10 03:38:06 -0700 |
commit | c666d39d3f0fe071890032f602ee62e61cf070a5 (patch) | |
tree | e4c382643ad7a0f1ec0deea99b39d0065b4193cd | |
parent | ca35df7f36ba54a7f8425e42e4b38376c8064868 (diff) |
engine: fix use-after-free bug when delaying command execution
In one particular case, a pending command that needs more data, the engine
crashed because delayed command execution code path deleted the command still
needed for the next chunk (found in Client::Sync::eds_contact_eds_memo::testLargeObject).
-rw-r--r-- | src/sysync/syncsession.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/sysync/syncsession.cpp b/src/sysync/syncsession.cpp index f7c7a11..f89a89e 100644 --- a/src/sysync/syncsession.cpp +++ b/src/sysync/syncsession.cpp @@ -2838,8 +2838,12 @@ bool TSyncSession::tryDelayedExecutionCommands() syncEndAfterSyncPackageEnd=true; // remember that we had at least one } // execution finished, can be deleted - PDEBUGPRINTFX(DBG_SESSION,("%s: command finished execution -> deleting",cmdP->getName())); - delete cmdP; + if (fIncompleteDataCommandP == cmdP) { + PDEBUGPRINTFX(DBG_SESSION,("%s: command incomplete -> keeping it for next message",cmdP->getName())); + } else { + PDEBUGPRINTFX(DBG_SESSION,("%s: command finished execution -> deleting",cmdP->getName())); + delete cmdP; + } // delete from queue fDelayedExecutionCommands.pop_front(); } |