phone-side
/
osmocom-bb
mirror of https://gerrit.osmocom.org/osmocom-bb
9
0
Fork 0
Code Issues Releases Wiki Activity

trxcon: Fix heap-use-after-free in l1ctl_client 

If the peer connected to trxcon restarts the process, read() on the unix
socket in trxcon fails, and triggers closing the conn (l1ctl_client),
which ends up freeing the struct. This all happens during read_cb() of
the l1ctl_client wqueue. If the kernel also flags WRITE event in the
same main loop iteration, the wqueue code would end up using the freed
struct again when running the write_cb.

Make sure the read_cb returns -EBADF in the code branch closing the conn
in read_cb, since it makes no sense to handle a write_cb after that.
This saves the code from accessing the potentially freed struct.

Related: OS#5872
Change-Id: I100a8ba056a09b4e52675e3539640da0c0f8d837
This commit is contained in:
Pau Espin 2023-01-30 18:19:39 +01:00
parent c9cc4c305d
commit 2b11e9e97d
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/host/trxcon/src/l1ctl_server.c
View File

@ -61,7 +61,7 @@ static int l1ctl_client_read_cb(struct osmo_fd *ofd)
rc = -EIO;
}
l1ctl_client_conn_close(client);
return rc;
return -EBADF; /* client fd is gone, avoid processing any other events. */
}
/* Check message length */