[XS] Change in libosmo-netif[master]: stream_cli: steal talloc ctx upon delaying free to avoid use after free
28 Nov
2024
28 Nov
'24
6:04 p.m.
laforge has submitted this change. (
https://gerrit.osmocom.org/c/libosmo-netif/+/38975?usp=email )
Change subject: stream_cli: steal talloc ctx upon delaying free to avoid use after free
......................................................................
stream_cli: steal talloc ctx upon delaying free to avoid use after free
Scenario:
read_cb()
[user code] osmo_stream_cli_destroy()
stream_cli_close()
disconnect_cb()
(free is delayed because we are in cb)
[user code] (frees parent struct of "cli", which would free cli)
free_delayed_if_needed() called on an already freed poiter
Fixes: a6af7cb9dce9d4567d355bad873c60be68896eee
Related: OS#6651
Change-Id: Id7625558d4b1343d621fb51406fa7f841db864ee
---
M src/stream_cli.c
1 file changed, 5 insertions(+), 0 deletions(-)
Approvals:
Jenkins Builder: Verified
fixeria: Looks good to me, but someone else must approve
laforge: Looks good to me, approved
diff --git a/src/stream_cli.c b/src/stream_cli.c
index 89681b0..2c1b00d 100644
--- a/src/stream_cli.c
+++ b/src/stream_cli.c
@@ -974,6 +974,11 @@
if (cli->in_cb_mask != 0) {
LOGSCLI(cli, LOGL_DEBUG, "delay free() in_cb_mask=0x%02x\n",
cli->in_cb_mask);
cli->delay_free = true;
+ /* Move ptr to avoid double free if parent ctx of cli is freed
+ * meanwhile (eg. during user callback after calling
+ * osmo_stream_client_destroy() and before returning from user
+ * callback. */
+ talloc_steal(OTC_GLOBAL, cli);
} else {
LOGSCLI(cli, LOGL_DEBUG, "free(destroy)\n");
talloc_free(cli);
--
To view, visit https://gerrit.osmocom.org/c/libosmo-netif/+/38975?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: merged
Gerrit-Project: libosmo-netif
Gerrit-Branch: master
Gerrit-Change-Id: Id7625558d4b1343d621fb51406fa7f841db864ee
Gerrit-Change-Number: 38975
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin(a)sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: daniel <dwillmann(a)sysmocom.de>
Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de>
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-Reviewer: osmith <osmith(a)sysmocom.de>
207
days inactive
207
days old
0 comments
1 participants
participants (1)
-
laforge