trxcon: Fix heap-use-after-free in l1ctl_client
If the peer connected to trxcon restarts the process, read() on the unix socket in trxcon fails, and triggers closing the conn (l1ctl_client), which ends up freeing the struct. This all happens during read_cb() of the l1ctl_client wqueue. If the kernel also flags WRITE event in the same main loop iteration, the wqueue code would end up using the freed struct again when running the write_cb. Make sure the read_cb returns -EBADF in the code branch closing the conn in read_cb, since it makes no sense to handle a write_cb after that. This saves the code from accessing the potentially freed struct. Related: OS#5872 Change-Id: I100a8ba056a09b4e52675e3539640da0c0f8d837
This commit is contained in:
parent
c9cc4c305d
commit
2b11e9e97d
|
@ -61,7 +61,7 @@ static int l1ctl_client_read_cb(struct osmo_fd *ofd)
|
|||
rc = -EIO;
|
||||
}
|
||||
l1ctl_client_conn_close(client);
|
||||
return rc;
|
||||
return -EBADF; /* client fd is gone, avoid processing any other events. */
|
||||
}
|
||||
|
||||
/* Check message length */
|
||||
|
|
Loading…
Reference in New Issue