Fixed equeue_cancel behaviour on null id

geky · geky · commit da9a9662b9cd · 2016-08-15T21:08:57.000-05:00
If no event allocation has been performed, an id of zero maps to
uninitialized space. Since this may reside in bss, there is a high
chance the id of zero is incorrectly matched against the uninitialized
slab, causing quick memory corruption as the "event" is unqueued.
diff --git a/equeue.c b/equeue.c
@@ -26,7 +26,7 @@ static inline int equeue_clampdiff(unsigned a, unsigned b) {
 // Increment the unique id in an event, hiding the event from cancel
 static inline void equeue_incid(equeue_t *q, struct equeue_event *e) {
     e->id += 1;
-    if (e->id >> (8*sizeof(int)-1 - q->npw2)) {
+    if (!(e->id << q->npw2)) {
         e->id = 1;
     }
 }
@@ -341,6 +341,10 @@ int equeue_post(equeue_t *q, void (*cb)(void*), void *p) {
 }
 
 void equeue_cancel(equeue_t *q, int id) {
+    if (!id) {
+        return;
+    }
+
     struct equeue_event *e = equeue_unqueue(q, id);
     if (e) {
         equeue_dealloc(q, e + 1);

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ static inline int equeue_clampdiff(unsigned a, unsigned b) {`
`26`	`26`	`// Increment the unique id in an event, hiding the event from cancel`
`27`	`27`	`static inline void equeue_incid(equeue_t q, struct equeue_event e) {`
`28`	`28`	`e->id += 1;`
`29`		`- if (e->id >> (8*sizeof(int)-1 - q->npw2)) {`
	`29`	`+ if (!(e->id << q->npw2)) {`
`30`	`30`	`e->id = 1;`
`31`	`31`	`}`
`32`	`32`	`}`
`@@ -341,6 +341,10 @@ int equeue_post(equeue_t q, void (cb)(void), void p) {`
`341`	`341`	`}`
`342`	`342`
`343`	`343`	`void equeue_cancel(equeue_t *q, int id) {`
	`344`	`+ if (!id) {`
	`345`	`+ return;`
	`346`	`+ }`
	`347`	`+`
`344`	`348`	`struct equeue_event *e = equeue_unqueue(q, id);`
`345`	`349`	`if (e) {`
`346`	`350`	`equeue_dealloc(q, e + 1);`