summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorDimitri Staessens <[email protected]>2022-03-29 19:41:21 +0200
committerSander Vrijders <[email protected]>2022-03-30 15:12:25 +0200
commite38f7c74dc0383fc5daf3eea7a7ab63fae6379fa (patch)
tree03cda6ec9f5591189fa691d6fd14abbf2baab5a0 /src/lib
parentc219668c4d2459579af77f6a2fb782337ca0fbae (diff)
downloadouroboros-e38f7c74dc0383fc5daf3eea7a7ab63fae6379fa.tar.gz
ouroboros-e38f7c74dc0383fc5daf3eea7a7ab63fae6379fa.zip
lib: Fix use-after-free of recv_msg
The protobuf message was free'd before usage in flow_init. Signed-off-by: Dimitri Staessens <[email protected]> Signed-off-by: Sander Vrijders <[email protected]>
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/dev.c17
1 files changed, 7 insertions, 10 deletions
diff --git a/src/lib/dev.c b/src/lib/dev.c
index ab869509..db6c9827 100644
--- a/src/lib/dev.c
+++ b/src/lib/dev.c
@@ -738,7 +738,6 @@ int flow_accept(qosspec_t * qs,
uint8_t buf[MSGBUFSZ];
int err = -EIRMD;
ssize_t key_len;
- time_t mpl;
memset(s, 0, SYMMKEYSZ);
@@ -794,15 +793,16 @@ int flow_accept(qosspec_t * qs,
crypt_dh_pkp_destroy(pkp);
- mpl = recv_msg->mpl;
+ fd = flow_init(recv_msg->flow_id, recv_msg->pid,
+ msg_to_spec(recv_msg->qosspec), s,
+ recv_msg->mpl);
irm_msg__free_unpacked(recv_msg, NULL);
- fd = flow_init(recv_msg->flow_id, recv_msg->pid,
- msg_to_spec(recv_msg->qosspec), s, mpl);
if (fd < 0)
return fd;
+
pthread_rwlock_rdlock(&ai.lock);
if (qs != NULL)
@@ -833,7 +833,6 @@ static int __flow_alloc(const char * dst,
uint8_t s[SYMMKEYSZ]; /* secret key for flow */
uint8_t buf[MSGBUFSZ];
int err = -EIRMD;
- time_t mpl;
memset(s, 0, SYMMKEYSZ);
@@ -902,13 +901,12 @@ static int __flow_alloc(const char * dst,
}
- mpl = recv_msg->mpl;
+ fd = flow_init(recv_msg->flow_id, recv_msg->pid,
+ qs == NULL ? qos_raw : *qs, s,
+ recv_msg->mpl);
irm_msg__free_unpacked(recv_msg, NULL);
- fd = flow_init(recv_msg->flow_id, recv_msg->pid,
- qs == NULL ? qos_raw : *qs, s, mpl);
-
return fd;
fail_result:
@@ -1627,7 +1625,6 @@ static int fqueue_filter(struct fqueue * fq)
fd = ai.ports[fq->fqueue[fq->next]].fd;
frcti = ai.flows[fd].frcti;
-
if (frcti == NULL) {
pthread_rwlock_unlock(&ai.lock);
return 1;