Bug 804

Summary: null-pointer references in 3.7 internet stack
Product: ns-3 Reporter: Bill Roome <wdr>
Component: internetAssignee: Tom Henderson <tomh>
Status: RESOLVED FIXED    
Severity: major CC: ns-bugs
Priority: P5    
Version: ns-3.7   
Hardware: Mac Intel   
OS: Mac OS   
Attachments: zip with revised versions of source files
patch to fix

Description Bill Roome 2010-02-03 14:05:57 UTC 
I found several places where the internet stack in 3.7 de-references a null pointer. In general, these happen when the application closes tcp/ip connections before terminating the simulation.

Here's a summary:

ipv4-l3-protocol.cc, Ipv4L3Protocol::Send:
  Uses m_routingProtocol without verifying that it's valid.

tcp-l4-protocol.cc, TcpL4Protocol::SendPacket & TcpL4Protocol::Send:
  Uses pointer returned by ipv4->GetRoutingProtocol() without
  verifying that the pointer is valid.

tcp-socket-impl.cc, TcpSocketImpl::SendPendingData:
  Uses m_endPoint without verifying that it's valid.

I've attached a zip with revised versions of those files. They're based on 3.7 stable. The revised versions work, in that they don't crash, but I can't tell if I've merely treated the symptoms instead of curing the underlying disease.

I observed these problems on MacOS 10.5, but I doubt they are mac specific.
Comment 1 Bill Roome 2010-02-03 14:10:08 UTC 
Created attachment 748 [details]
zip with revised versions of source files

Sorry if this is a duplicate; it looked like the attachment didn't get added when I created the bug report.
Comment 2 Tom Henderson 2010-02-04 01:36:38 UTC 
Created attachment 750 [details]
patch to fix

I turned this into a regular patch.  I'll audit for more instances of this and try to check it in by end of the week.
Comment 3 Bill Roome 2010-02-04 12:32:12 UTC 
In tcp-socket-impl.cc, TcpSocketImpl::SendEmptyPacket() can also be called when m_endPoint is null. The function should either check for m_endPoint == 0 (and return, I guess), or else the caller should verify that m_endPoint is valid.
Comment 4 Tom Henderson 2010-02-10 01:09:34 UTC 
pushed in changeset: 7a60b058e7b4  This is mainly the reported cases but with protection for a couple more possibly null pointers similar to the above.