osmocom
/
libosmocore
mirror of https://gerrit.osmocom.org/libosmocore
11
0
Fork 1
Code Issues Releases Wiki Activity

vty: Avoid use-after-free in VTY telnet interface 

If the read callback closes the connection conn is already freed so we
can't derefernce it. Instead return -EBADFD in the read function if it
closed the connection and check for that.
This commit is contained in:
Daniel Willmann 2014-05-21 15:08:19 +02:00 committed by Holger Hans Peter Freyther
parent 17aa6b25cb
commit 77ab2f723e
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/vty/telnet_interface.c
View File

@ -120,7 +120,7 @@ static int client_data(struct osmo_fd *fd, unsigned int what)
} }
/* vty might have been closed from vithin vty_read() */ /* vty might have been closed from vithin vty_read() */
if (!conn->vty) if (rc == -EBADFD)
return rc; return rc;
if (what & BSC_FD_WRITE) { if (what & BSC_FD_WRITE) {
@ -193,7 +193,6 @@ void vty_event(enum event event, int sock, struct vty *vty)
break; break;
case VTY_CLOSED: case VTY_CLOSED:
/* vty layer is about to free() vty */ /* vty layer is about to free() vty */
connection->vty = NULL;
telnet_close_client(bfd); telnet_close_client(bfd);
break; break;
default: default:

5
src/vty/vty.c
View File

@ -1432,9 +1432,10 @@ int vty_read(struct vty *vty)
} }
/* Check status. */ /* Check status. */
if (vty->status == VTY_CLOSE) if (vty->status == VTY_CLOSE) {
vty_close(vty); vty_close(vty);
else { return -EBADFD;
} else {
vty_event(VTY_WRITE, vty_sock, vty); vty_event(VTY_WRITE, vty_sock, vty);
vty_event(VTY_READ, vty_sock, vty); vty_event(VTY_READ, vty_sock, vty);
} }