laforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-netif/+/38975?usp=email )

Change subject: stream_cli: steal talloc ctx upon delaying free to avoid use after free ......................................................................

stream_cli: steal talloc ctx upon delaying free to avoid use after free

Scenario: read_cb() [user code] osmo_stream_cli_destroy() stream_cli_close() disconnect_cb() (free is delayed because we are in cb) [user code] (frees parent struct of "cli", which would free cli) free_delayed_if_needed() called on an already freed poiter Fixes: a6af7cb9dce9d4567d355bad873c60be68896eee Related: OS#6651 Change-Id: Id7625558d4b1343d621fb51406fa7f841db864ee --- M src/stream_cli.c 1 file changed, 5 insertions(+), 0 deletions(-)

Approvals: Jenkins Builder: Verified fixeria: Looks good to me, but someone else must approve laforge: Looks good to me, approved

diff --git a/src/stream_cli.c b/src/stream_cli.c index 89681b0..2c1b00d 100644 --- a/src/stream_cli.c +++ b/src/stream_cli.c @@ -974,6 +974,11 @@ if (cli->in_cb_mask != 0) { LOGSCLI(cli, LOGL_DEBUG, "delay free() in_cb_mask=0x%02x\n", cli->in_cb_mask); cli->delay_free = true; + /* Move ptr to avoid double free if parent ctx of cli is freed + * meanwhile (eg. during user callback after calling + * osmo_stream_client_destroy() and before returning from user + * callback. */ + talloc_steal(OTC_GLOBAL, cli); } else { LOGSCLI(cli, LOGL_DEBUG, "free(destroy)\n"); talloc_free(cli);