laforge submitted this change.

View Change

Approvals: Jenkins Builder: Verified fixeria: Looks good to me, but someone else must approve laforge: Looks good to me, approved 
stream_cli: steal talloc ctx upon delaying free to avoid use after free

Scenario:
read_cb()
  [user code] osmo_stream_cli_destroy()
   stream_cli_close()
    disconnect_cb()
   (free is delayed because we are in cb)
   [user code] (frees parent struct of "cli", which would free cli)
free_delayed_if_needed() called on an already freed poiter
Fixes: a6af7cb9dce9d4567d355bad873c60be68896eee
Related: OS#6651
Change-Id: Id7625558d4b1343d621fb51406fa7f841db864ee
---
M src/stream_cli.c
1 file changed, 5 insertions(+), 0 deletions(-)

diff --git a/src/stream_cli.c b/src/stream_cli.c
index 89681b0..2c1b00d 100644
--- a/src/stream_cli.c
+++ b/src/stream_cli.c
@@ -974,6 +974,11 @@
 	if (cli->in_cb_mask != 0) {
 		LOGSCLI(cli, LOGL_DEBUG, "delay free() in_cb_mask=0x%02x\n", cli->in_cb_mask);
 		cli->delay_free = true;
+		/* Move ptr to avoid double free if parent ctx of cli is freed
+		 * meanwhile (eg. during user callback after calling
+		 * osmo_stream_client_destroy() and before returning from user
+		 * callback. */
+		talloc_steal(OTC_GLOBAL, cli);
 	} else {
 		LOGSCLI(cli, LOGL_DEBUG, "free(destroy)\n");
 		talloc_free(cli);

To view, visit change 38975. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: merged
Gerrit-Project: libosmo-netif
Gerrit-Branch: master
Gerrit-Change-Id: Id7625558d4b1343d621fb51406fa7f841db864ee
Gerrit-Change-Number: 38975
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: daniel <dwillmann@sysmocom.de>
Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: laforge <laforge@osmocom.org>
Gerrit-Reviewer: osmith <osmith@sysmocom.de>