Change in osmocom-bb[master]: trxcon: Fix heap-use-after-free in l1ctl_client - gerrit-log

30 Jan 2023

pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmocom-bb/+/31109 )
Change subject: trxcon: Fix heap-use-after-free in l1ctl_client
......................................................................
trxcon: Fix heap-use-after-free in l1ctl_client
If the peer connected to trxcon restarts the process, read() on the unix
socket in trxcon fails, and triggers closing the conn (l1ctl_client),
which ends up freeing the struct. This all happens during read_cb() of
the l1ctl_client wqueue. If the kernel also flags WRITE event in the
same main loop iteration, the wqueue code would end up using the freed
struct again when running the write_cb.
Make sure the read_cb returns -EBADF in the code branch closing the conn
in read_cb, since it makes no sense to handle a write_cb after that.
This saves the code from accessing the potentially freed struct.
Related: OS#5872
Change-Id: I100a8ba056a09b4e52675e3539640da0c0f8d837
---
M src/host/trxcon/src/l1ctl_server.c
1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/osmocom-bb refs/changes/09/31109/1

diff --git a/src/host/trxcon/src/l1ctl_server.c b/src/host/trxcon/src/l1ctl_server.c
index bfbd997..c0f1015 100644
--- a/src/host/trxcon/src/l1ctl_server.c
+++ b/src/host/trxcon/src/l1ctl_server.c
@@ -61,7 +61,7 @@
    		rc = -EIO;
    	}
    	l1ctl_client_conn_close(client);
-		return rc;
+		return -EBADF; /* client fd is gone, avoid processing any other events. */
    }
/* Check message length */
-- 
To view, visit https://gerrit.osmocom.org/c/osmocom-bb/+/31109
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmocom-bb
Gerrit-Branch: master
Gerrit-Change-Id: I100a8ba056a09b4e52675e3539640da0c0f8d837
Gerrit-Change-Number: 31109
Gerrit-PatchSet: 1
Gerrit-Owner: pespin pespin@sysmocom.de
Gerrit-MessageType: newchange



    