From e38f7c74dc0383fc5daf3eea7a7ab63fae6379fa Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Tue, 29 Mar 2022 19:41:21 +0200
Subject: lib: Fix use-after-free of recv_msg

The protobuf message was free'd before usage in flow_init.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 src/lib/dev.c | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/src/lib/dev.c b/src/lib/dev.c
index ab869509..db6c9827 100644
--- a/src/lib/dev.c
+++ b/src/lib/dev.c
@@ -738,7 +738,6 @@ int flow_accept(qosspec_t *             qs,
         uint8_t     buf[MSGBUFSZ];
         int         err = -EIRMD;
         ssize_t     key_len;
-        time_t      mpl;
 
         memset(s, 0, SYMMKEYSZ);
 
@@ -794,15 +793,16 @@ int flow_accept(qosspec_t *             qs,
 
         crypt_dh_pkp_destroy(pkp);
 
-        mpl = recv_msg->mpl;
+        fd = flow_init(recv_msg->flow_id, recv_msg->pid,
+                       msg_to_spec(recv_msg->qosspec), s,
+                       recv_msg->mpl);
 
         irm_msg__free_unpacked(recv_msg, NULL);
 
-        fd = flow_init(recv_msg->flow_id, recv_msg->pid,
-                       msg_to_spec(recv_msg->qosspec), s, mpl);
         if (fd < 0)
                 return fd;
 
+
         pthread_rwlock_rdlock(&ai.lock);
 
         if (qs != NULL)
@@ -833,7 +833,6 @@ static int __flow_alloc(const char *            dst,
         uint8_t       s[SYMMKEYSZ];   /* secret key for flow */
         uint8_t       buf[MSGBUFSZ];
         int           err = -EIRMD;
-        time_t        mpl;
 
         memset(s, 0, SYMMKEYSZ);
 
@@ -902,13 +901,12 @@ static int __flow_alloc(const char *            dst,
         }
 
 
-        mpl = recv_msg->mpl;
+        fd = flow_init(recv_msg->flow_id, recv_msg->pid,
+                       qs == NULL ? qos_raw : *qs, s,
+                       recv_msg->mpl);
 
         irm_msg__free_unpacked(recv_msg, NULL);
 
-        fd = flow_init(recv_msg->flow_id, recv_msg->pid,
-                       qs == NULL ? qos_raw : *qs, s, mpl);
-
         return fd;
 
  fail_result:
@@ -1627,7 +1625,6 @@ static int fqueue_filter(struct fqueue * fq)
 
                 fd = ai.ports[fq->fqueue[fq->next]].fd;
                 frcti = ai.flows[fd].frcti;
-
                 if (frcti == NULL) {
                         pthread_rwlock_unlock(&ai.lock);
                         return 1;
-- 
cgit v1.2.3