Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: V3.8.0.14, V3.9.0.9, V3.10.0.0 (open), V3.10.1.0 (trunk)
-
Component/s: Core
-
Labels:None
-
Sprint:EIP PI8-IT4 (Nov 10 - Nov 21)
-
Account:SPC EthernetIp Core (SPCETHERNET)
Description
A use-after-free condition may occur due to scheduler contention between the EipTimer_Delete() function and an already-enqueued EipTimer_SlowExpiry() job. Under this race condition, a timer that has been deleted may still fire, leading to invalid memory access within the timer expiry handler and ultimately causing a firmware crash.
The issue occurs when EipTimer_Delete() removes a timer object while a corresponding EipTimer_SlowExpiry() job remains queued in the scheduler, under certain further conditions.
If the queued expiry job executes after the timer has been freed, under ceratin conditions, a use-after-free situation arises. This behavior has been observed for the TX timer during FwOpen/FwClose long-term testing of both, the netX90 and netX51/52 targets.
ETM tracing on netX51 revealed a coding error related to mutex handling in the timer module as the cause, which can lead to spurious executions of already deleted timers.
Attachments
Issue Links
- relates to
-
PSEISV3-969
Update EtherNet/IP Core to V3.9.0.9
-
- Closed
-