We have had several crashes when calling SLPFindSrvs.
We are passing a null scope list and the problem occurs in the following section of code:
/* Get a scope list if not supplied. */
if (pcScopeList == 0 || *pcScopeList == 0)
pcScopeList = SLPPropertyGet("net.slp.useScopes", 0, 0);
If pcScopeList is NULL or empty string SLPPropertyGet returns the value from the slp.conf file. Sometimes, however, this call returns NULL which is unchecked and later on when strlen() is called on the NULL string the application will crash.
The first issue is the code assumes the get property will always successfully return a string even though it is possible that it can return NULL.
The biggest issue however is why the SLPPropertyGet for "net.slp.useScopes" returns NULL when thousands of times previously it has returned the correct value.
I believe this is caused by a race condition in the property access. Periodically libslp refreshes its properties by first clearing them and then reloading them. Modifications and accesses to the property list are protected by MUTEXes but clearing and reloading the property list is not an atomic action, it is two actions, clearing and reloading. If SLPFindSrvs is unlucky enough to be called between these two actions the call will crash.
This is version 2.0.0 Rev 1620
Fixed in mercurial commit #1668.