pespin has submitted this change. (
https://gerrit.osmocom.org/c/osmocom-bb/+/31109 )
Change subject: trxcon: Fix heap-use-after-free in l1ctl_client
......................................................................
trxcon: Fix heap-use-after-free in l1ctl_client
If the peer connected to trxcon restarts the process, read() on the unix
socket in trxcon fails, and triggers closing the conn (l1ctl_client),
which ends up freeing the struct. This all happens during read_cb() of
the l1ctl_client wqueue. If the kernel also flags WRITE event in the
same main loop iteration, the wqueue code would end up using the freed
struct again when running the write_cb.
Make sure the read_cb returns -EBADF in the code branch closing the conn
in read_cb, since it makes no sense to handle a write_cb after that.
This saves the code from accessing the potentially freed struct.
Related: OS#5872
Change-Id: I100a8ba056a09b4e52675e3539640da0c0f8d837
---
M src/host/trxcon/src/l1ctl_server.c
1 file changed, 1 insertion(+), 1 deletion(-)
Approvals:
Jenkins Builder: Verified
fixeria: Looks good to me, approved
diff --git a/src/host/trxcon/src/l1ctl_server.c b/src/host/trxcon/src/l1ctl_server.c
index bfbd997..c0f1015 100644
--- a/src/host/trxcon/src/l1ctl_server.c
+++ b/src/host/trxcon/src/l1ctl_server.c
@@ -61,7 +61,7 @@
rc = -EIO;
}
l1ctl_client_conn_close(client);
- return rc;
+ return -EBADF; /* client fd is gone, avoid processing any other events. */
}
/* Check message length */
--
To view, visit
https://gerrit.osmocom.org/c/osmocom-bb/+/31109
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: osmocom-bb
Gerrit-Branch: master
Gerrit-Change-Id: I100a8ba056a09b4e52675e3539640da0c0f8d837
Gerrit-Change-Number: 31109
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin(a)sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de>
Gerrit-Reviewer: pespin <pespin(a)sysmocom.de>
Gerrit-MessageType: merged