[qpid-dispatch] branch main updated: DISPATCH-2274: Fix use after free of qd_link_t by using safe pointer as context

gmurthy Fri, 05 Nov 2021 12:50:12 -0700

This is an automated email from the ASF dual-hosted git repository.

gmurthy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git



The following commit(s) were added to refs/heads/main by this push:
     new a2785d2  DISPATCH-2274: Fix use after free of qd_link_t by using safe 
pointer as context
a2785d2 is described below

commit a2785d25e0ce2c0c9253fe26ab7d8470d6912b6d
Author: Ganesh Murthy <[email protected]>
AuthorDate: Thu Nov 4 17:09:58 2021 -0400

    DISPATCH-2274: Fix use after free of qd_link_t by using safe pointer as 
context
---
 src/router_core/connections.c | 35 +++++++++++++++++++++++++++++++----
 src/router_core/router_core.c |  4 +++-
 2 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/src/router_core/connections.c b/src/router_core/connections.c
index 840b82f..08acb51 100644
--- a/src/router_core/connections.c
+++ b/src/router_core/connections.c
@@ -488,14 +488,39 @@ int qdr_connection_process(qdr_connection_t *conn)
 
 void qdr_link_set_context(qdr_link_t *link, void *context)
 {
-    if (link)
-        link->user_context = context;
+    if (link) {
+        if (context == 0) {
+            if (link->user_context) {
+                qd_nullify_safe_ptr((qd_alloc_safe_ptr_t *)link->user_context);
+                free(link->user_context);
+                link->user_context = 0;
+            }
+        }
+        else {
+            if (link->user_context) {
+                qd_nullify_safe_ptr((qd_alloc_safe_ptr_t *)link->user_context);
+                free(link->user_context);
+            }
+
+            qd_link_t_sp *safe_ptr = NEW(qd_alloc_safe_ptr_t);
+            set_safe_ptr_qd_link_t(context, safe_ptr);
+            link->user_context = safe_ptr;
+        }
+    }
 }
 
 
 void *qdr_link_get_context(const qdr_link_t *link)
 {
-    return link ? link->user_context : 0;
+    if (link) {
+        if (link->user_context) {
+            qd_link_t_sp *safe_qdl = (qd_link_t_sp*) link->user_context;
+            if (safe_qdl)
+                return safe_deref_qd_link_t(*safe_qdl);
+        }
+    }
+
+    return 0;
 }
 
 
@@ -1090,7 +1115,9 @@ static void qdr_link_cleanup_CT(qdr_core_t *core, 
qdr_connection_t *conn, qdr_li
 
     if (link->reported_as_blocked)
         core->links_blocked--;
-
+    if (link->user_context) {
+        qdr_link_set_context(link, 0);
+    }
     free_qdr_link_t(link);
 }
 
diff --git a/src/router_core/router_core.c b/src/router_core/router_core.c
index fb506c6..08293e3 100644
--- a/src/router_core/router_core.c
+++ b/src/router_core/router_core.c
@@ -244,7 +244,9 @@ void qdr_core_free(qdr_core_t *core)
             link_work = DEQ_HEAD(link->work_list);
         }
         sys_mutex_unlock(link->conn->work_lock);
-
+        if (link->user_context) {
+            qdr_link_set_context(link, 0);
+        }
         free_qdr_link_t(link);
         link = DEQ_HEAD(core->open_links);
     }

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[qpid-dispatch] branch main updated: DISPATCH-2274: Fix use after free of qd_link_t by using safe pointer as context

Reply via email to