From ebc6f6efc4a83802c03679c74be36974a3dcb4e3 Mon Sep 17 00:00:00 2001
From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com>
Date: Tue, 23 May 2017 15:09:24 -0400
Subject: [PATCH] dtls: fix race-condition during pkt flush

Remove a race-condition on packet reorder std::map
during its flush.
This caused application crashes.

Change-Id: I01ebf56f8cca141585f11c1090262d3b44f34544
Reviewed-by: Andreas Traczyk <andreas.traczyk@savoirfairelinux.com>
---
 src/security/tls_session.cpp | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/security/tls_session.cpp b/src/security/tls_session.cpp
index cf3fa7043d..423eca605a 100644
--- a/src/security/tls_session.cpp
+++ b/src/security/tls_session.cpp
@@ -962,16 +962,17 @@ TlsSession::flushRxQueue()
     // Loop on offset-ordered received packet until a discontinuity in sequence number
     while (item != std::end(reorderBuffer_) and item->first <= next_offset) {
         auto pkt_offset = item->first;
-        auto& pkt = item->second;
+        auto pkt = std::move(item->second);
+
+        // Remove item before unlocking to not trash the item' relationship
+        next_offset = pkt_offset + 1;
+        item = reorderBuffer_.erase(item);
 
         if (callbacks_.onRxData) {
             lk.unlock();
             callbacks_.onRxData(std::move(pkt));
             lk.lock();
         }
-
-        next_offset = pkt_offset + 1;
-        item = reorderBuffer_.erase(item);
     }
 
     gapOffset_ = std::max(gapOffset_, next_offset);
-- 
GitLab