This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a commit to branch releases/12.7
in repository https://gitbox.apache.org/repos/asf/nuttx.git
The following commit(s) were added to refs/heads/releases/12.7 by this push:
new cc9d42804b local_sock: fix accept use-after-free
cc9d42804b is described below
commit cc9d42804beb1028f3e0051acfd55930069df469
Author: fangzhenwei <[email protected]>
AuthorDate: Fri Jun 7 11:51:15 2024 +0800
local_sock: fix accept use-after-free
we should get next waiter before acceptor released
Signed-off-by: fangzhenwei <[email protected]>
---
include/nuttx/queue.h | 3 +++
net/local/local_release.c | 5 ++---
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/include/nuttx/queue.h b/include/nuttx/queue.h
index 04bda577ee..89119d7723 100644
--- a/include/nuttx/queue.h
+++ b/include/nuttx/queue.h
@@ -170,6 +170,9 @@
for((p) = (q)->head, (tmp) = (p) ? (p)->flink : NULL; \
(p) != NULL; (p) = (tmp), (tmp) = (p) ? (p)->flink : NULL)
+#define dq_for_every(q, p) sq_for_every(q, p)
+#define dq_for_every_safe(q, p, tmp) sq_for_every_safe(q, p, tmp)
+
#define sq_rem(p, q) \
do \
{ \
diff --git a/net/local/local_release.c b/net/local/local_release.c
index f65bd81c24..0f32da000d 100644
--- a/net/local/local_release.c
+++ b/net/local/local_release.c
@@ -73,14 +73,13 @@ int local_release(FAR struct local_conn_s *conn)
{
FAR struct local_conn_s *accept;
FAR dq_entry_t *waiter;
+ FAR dq_entry_t *tmp;
DEBUGASSERT(conn->lc_proto == SOCK_STREAM);
/* Are there still clients waiting for a connection to the server? */
- for (waiter = dq_peek(&conn->u.server.lc_waiters);
- waiter != NULL;
- waiter = dq_next(&accept->u.accept.lc_waiter))
+ dq_for_every_safe(&conn->u.server.lc_waiters, waiter, tmp)
{
accept = container_of(waiter, struct local_conn_s,
u.accept.lc_waiter);
