From e38f7c74dc0383fc5daf3eea7a7ab63fae6379fa Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Tue, 29 Mar 2022 19:41:21 +0200 Subject: lib: Fix use-after-free of recv_msg The protobuf message was free'd before usage in flow_init. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- src/lib/dev.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/src/lib/dev.c b/src/lib/dev.c index ab869509..db6c9827 100644 --- a/src/lib/dev.c +++ b/src/lib/dev.c @@ -738,7 +738,6 @@ int flow_accept(qosspec_t * qs, uint8_t buf[MSGBUFSZ]; int err = -EIRMD; ssize_t key_len; - time_t mpl; memset(s, 0, SYMMKEYSZ); @@ -794,15 +793,16 @@ int flow_accept(qosspec_t * qs, crypt_dh_pkp_destroy(pkp); - mpl = recv_msg->mpl; + fd = flow_init(recv_msg->flow_id, recv_msg->pid, + msg_to_spec(recv_msg->qosspec), s, + recv_msg->mpl); irm_msg__free_unpacked(recv_msg, NULL); - fd = flow_init(recv_msg->flow_id, recv_msg->pid, - msg_to_spec(recv_msg->qosspec), s, mpl); if (fd < 0) return fd; + pthread_rwlock_rdlock(&ai.lock); if (qs != NULL) @@ -833,7 +833,6 @@ static int __flow_alloc(const char * dst, uint8_t s[SYMMKEYSZ]; /* secret key for flow */ uint8_t buf[MSGBUFSZ]; int err = -EIRMD; - time_t mpl; memset(s, 0, SYMMKEYSZ); @@ -902,13 +901,12 @@ static int __flow_alloc(const char * dst, } - mpl = recv_msg->mpl; + fd = flow_init(recv_msg->flow_id, recv_msg->pid, + qs == NULL ? qos_raw : *qs, s, + recv_msg->mpl); irm_msg__free_unpacked(recv_msg, NULL); - fd = flow_init(recv_msg->flow_id, recv_msg->pid, - qs == NULL ? qos_raw : *qs, s, mpl); - return fd; fail_result: @@ -1627,7 +1625,6 @@ static int fqueue_filter(struct fqueue * fq) fd = ai.ports[fq->fqueue[fq->next]].fd; frcti = ai.flows[fd].frcti; - if (frcti == NULL) { pthread_rwlock_unlock(&ai.lock); return 1; -- cgit v1.2.3