Cisco Bug: CSCuo28228 - TFTP server may crash
Jun 20, 2016
- Cisco Network Registrar
Known Affected Releases
Symptom: The TFTP server crashes. A (linux) stack trace might look as follows: <pre> #0 0x0089f527 in pthread_mutex_unlock () from /lib/libpthread.so.0 #1 0x0056e6b0 in ay_mutex_unlock (m=0x0) at ay_sync.c:1745 #2 0x0806296c in TftpSession::scheduleIncomingPacket (this=0xf7495358, pPacket=0xf759aa90) at ../../../local/include/async.inl:134 #3 0x08062a93 in TftpSession::acquireActiveSession (pPacket=0xf759aa90, pSockAddr=0x14, ppSession=0xf759ab20) at session.cpp:807 #4 0x08058424 in TftpPacket::processIncomingPacket (this=0xf759aa90) at tftppacket.cpp:1049 #5 0x0805871c in TftpPacket::readCompleted (this=0xf759aa90) at tftppacket.cpp:942 #6 0x0806f29f in AWorkUnit::doWork (pWork=0xf759aaa0) at aworkunit.cpp:27 #7 0x009466cd in fw_work_function_do_work (self=0xf74383b8) at framework_work.c:111 #8 0x009432b3 in thread_top_level (self=0x14, argc=1, args=0xf76f6c08) at framework.c:1030 ... </pre> Conditions: This happens when the TFTP session object is being removed and a packet arrives just before the socket is removed but isn't processed by the server for a bit. This can happen if the newly received packet processing is suspend because of a context switch. This is a race condition where a lock is not held for sufficiently long.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases