diff options
author | Dimitri Staessens <[email protected]> | 2022-03-29 19:41:21 +0200 |
---|---|---|
committer | Sander Vrijders <[email protected]> | 2022-03-30 15:12:25 +0200 |
commit | e38f7c74dc0383fc5daf3eea7a7ab63fae6379fa (patch) | |
tree | 03cda6ec9f5591189fa691d6fd14abbf2baab5a0 | |
parent | c219668c4d2459579af77f6a2fb782337ca0fbae (diff) | |
download | ouroboros-e38f7c74dc0383fc5daf3eea7a7ab63fae6379fa.tar.gz ouroboros-e38f7c74dc0383fc5daf3eea7a7ab63fae6379fa.zip |
lib: Fix use-after-free of recv_msg
The protobuf message was free'd before usage in flow_init.
Signed-off-by: Dimitri Staessens <[email protected]>
Signed-off-by: Sander Vrijders <[email protected]>
-rw-r--r-- | src/lib/dev.c | 17 |
1 files changed, 7 insertions, 10 deletions
diff --git a/src/lib/dev.c b/src/lib/dev.c index ab869509..db6c9827 100644 --- a/src/lib/dev.c +++ b/src/lib/dev.c @@ -738,7 +738,6 @@ int flow_accept(qosspec_t * qs, uint8_t buf[MSGBUFSZ]; int err = -EIRMD; ssize_t key_len; - time_t mpl; memset(s, 0, SYMMKEYSZ); @@ -794,15 +793,16 @@ int flow_accept(qosspec_t * qs, crypt_dh_pkp_destroy(pkp); - mpl = recv_msg->mpl; + fd = flow_init(recv_msg->flow_id, recv_msg->pid, + msg_to_spec(recv_msg->qosspec), s, + recv_msg->mpl); irm_msg__free_unpacked(recv_msg, NULL); - fd = flow_init(recv_msg->flow_id, recv_msg->pid, - msg_to_spec(recv_msg->qosspec), s, mpl); if (fd < 0) return fd; + pthread_rwlock_rdlock(&ai.lock); if (qs != NULL) @@ -833,7 +833,6 @@ static int __flow_alloc(const char * dst, uint8_t s[SYMMKEYSZ]; /* secret key for flow */ uint8_t buf[MSGBUFSZ]; int err = -EIRMD; - time_t mpl; memset(s, 0, SYMMKEYSZ); @@ -902,13 +901,12 @@ static int __flow_alloc(const char * dst, } - mpl = recv_msg->mpl; + fd = flow_init(recv_msg->flow_id, recv_msg->pid, + qs == NULL ? qos_raw : *qs, s, + recv_msg->mpl); irm_msg__free_unpacked(recv_msg, NULL); - fd = flow_init(recv_msg->flow_id, recv_msg->pid, - qs == NULL ? qos_raw : *qs, s, mpl); - return fd; fail_result: @@ -1627,7 +1625,6 @@ static int fqueue_filter(struct fqueue * fq) fd = ai.ports[fq->fqueue[fq->next]].fd; frcti = ai.flows[fd].frcti; - if (frcti == NULL) { pthread_rwlock_unlock(&ai.lock); return 1; |