From patchwork Wed May 21 13:08:19 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Willmann X-Patchwork-Id: 351177 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from ganesha.gnumonks.org (ganesha.gnumonks.org [IPv6:2001:780:45:1d:225:90ff:fe52:c662]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 03F0F1400D4 for ; Wed, 21 May 2014 23:15:52 +1000 (EST) Received: from localhost ([127.0.0.1] helo=ganesha.gnumonks.org) by ganesha.gnumonks.org with esmtp (Exim 4.72) (envelope-from ) id 1Wn6Mt-00020i-6G; Wed, 21 May 2014 15:15:39 +0200 Received: from isonoe.totalueberwachung.de ([2a01:198:210:100::1]) by ganesha.gnumonks.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1Wn6G3-0000xP-Li for openbsc@lists.osmocom.org; Wed, 21 May 2014 15:08:42 +0200 Received: from adrastea.totalueberwachung.de (24-134-58-61-dynip.superkabel.de [24.134.58.61]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by isonoe.totalueberwachung.de (Postfix) with ESMTPSA id 3EF9560058; Wed, 21 May 2014 15:08:35 +0200 (CEST) Received: by adrastea.totalueberwachung.de (Postfix, from userid 1000) id 8640C220D7; Wed, 21 May 2014 15:08:32 +0200 (CEST) From: Daniel Willmann To: OpenBSC Mailing List Subject: [PATCH 2/2] vty: Avoid use-after-free in VTY telnet interface Date: Wed, 21 May 2014 15:08:19 +0200 Message-Id: X-Mailer: git-send-email 1.8.4.2 In-Reply-To: References: In-Reply-To: References: X-Spam-Score: -0.0 (/) Cc: Daniel Willmann X-BeenThere: openbsc@lists.osmocom.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development of the OpenBSC GSM base station controller List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openbsc-bounces@lists.osmocom.org Errors-To: openbsc-bounces@lists.osmocom.org If the read callback closes the connection conn is already freed so we can't derefernce it. Instead return -EBADFD in the read function if it closed the connection and check for that. --- src/vty/telnet_interface.c | 3 +-- src/vty/vty.c | 5 +++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/vty/telnet_interface.c b/src/vty/telnet_interface.c index 32ab6be..0a04d15 100644 --- a/src/vty/telnet_interface.c +++ b/src/vty/telnet_interface.c @@ -120,7 +120,7 @@ static int client_data(struct osmo_fd *fd, unsigned int what) } /* vty might have been closed from vithin vty_read() */ - if (!conn->vty) + if (rc == -EBADFD) return rc; if (what & BSC_FD_WRITE) { @@ -193,7 +193,6 @@ void vty_event(enum event event, int sock, struct vty *vty) break; case VTY_CLOSED: /* vty layer is about to free() vty */ - connection->vty = NULL; telnet_close_client(bfd); break; default: diff --git a/src/vty/vty.c b/src/vty/vty.c index 8bfc35c..fc86bdf 100644 --- a/src/vty/vty.c +++ b/src/vty/vty.c @@ -1432,9 +1432,10 @@ int vty_read(struct vty *vty) } /* Check status. */ - if (vty->status == VTY_CLOSE) + if (vty->status == VTY_CLOSE) { vty_close(vty); - else { + return -EBADFD; + } else { vty_event(VTY_WRITE, vty_sock, vty); vty_event(VTY_READ, vty_sock, vty); }