Attention is currently required from: laforge, pespin.

View Change

1 comment:

• File src/osmo_tls.c:

  • Patch Set #1, Line 529: sess->tls_hostname = client->tls_hostname;

    can client be freed here somehow while sess keeps being valid and hence sess->tls_hostname ends up p […]

    `struct osmo_tls_session` is a field of `struct osmo_pcap_client_conn`, not a pointer, so if the client is free()d, the inner session structure becomes heap garbage. However, use-after-free is still possible here: if the user does `no tls hostname` in the VTY while `verify_cert_cb()` is invoked asynchronously, `conn->tls_hostname` is free()d and we end up with a dangling pointer. So I added `talloc_strdrup()`.

To view, visit change 42849. To unsubscribe, or for help writing mail filters, visit settings.