From 6d86e5347e1dfb4342c848aa28b7e5c50a990fac Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Sun, 22 Jul 2012 17:46:54 +0200 Subject: [PATCH] don't access free'd memory in cancel_sync() as it happens, the 1st round *may* trash svars - if we get the cancelation request after the slave store has already died. --- src/sync.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/sync.c b/src/sync.c index f4315b3..865cd67 100644 --- a/src/sync.c +++ b/src/sync.c @@ -403,14 +403,17 @@ cancel_sync( sync_vars_t *svars ) { int t; - /* the 1st round is guaranteed not to trash svars */ - for (t = 0; t < 2; t++) + for (t = 0; t < 2; t++) { + int other_state = svars->state[1-t]; if (svars->ret & SYNC_BAD(t)) { svars->drv[t]->cancel_store( svars->ctx[t] ); cancel_done( AUX ); } else { svars->drv[t]->cancel( svars->ctx[t], cancel_done, AUX ); } + if (other_state & ST_CANCELED) + break; + } } static void