This is an automated email from the ASF dual-hosted git repository. kgiusti pushed a commit to branch 1.18.x in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
commit ab16a59c50778e9c7c1692f89f562a411b106312 Author: Ganesh Murthy <[email protected]> AuthorDate: Thu Nov 4 17:09:58 2021 -0400 DISPATCH-2274: Fix use after free of qd_link_t by using safe pointer as context (cherry picked from commit a2785d25e0ce2c0c9253fe26ab7d8470d6912b6d) --- src/router_core/connections.c | 35 +++++++++++++++++++++++++++++++---- src/router_core/router_core.c | 4 +++- 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/src/router_core/connections.c b/src/router_core/connections.c index 840b82f..08acb51 100644 --- a/src/router_core/connections.c +++ b/src/router_core/connections.c @@ -488,14 +488,39 @@ int qdr_connection_process(qdr_connection_t *conn) void qdr_link_set_context(qdr_link_t *link, void *context) { - if (link) - link->user_context = context; + if (link) { + if (context == 0) { + if (link->user_context) { + qd_nullify_safe_ptr((qd_alloc_safe_ptr_t *)link->user_context); + free(link->user_context); + link->user_context = 0; + } + } + else { + if (link->user_context) { + qd_nullify_safe_ptr((qd_alloc_safe_ptr_t *)link->user_context); + free(link->user_context); + } + + qd_link_t_sp *safe_ptr = NEW(qd_alloc_safe_ptr_t); + set_safe_ptr_qd_link_t(context, safe_ptr); + link->user_context = safe_ptr; + } + } } void *qdr_link_get_context(const qdr_link_t *link) { - return link ? link->user_context : 0; + if (link) { + if (link->user_context) { + qd_link_t_sp *safe_qdl = (qd_link_t_sp*) link->user_context; + if (safe_qdl) + return safe_deref_qd_link_t(*safe_qdl); + } + } + + return 0; } @@ -1090,7 +1115,9 @@ static void qdr_link_cleanup_CT(qdr_core_t *core, qdr_connection_t *conn, qdr_li if (link->reported_as_blocked) core->links_blocked--; - + if (link->user_context) { + qdr_link_set_context(link, 0); + } free_qdr_link_t(link); } diff --git a/src/router_core/router_core.c b/src/router_core/router_core.c index fb506c6..08293e3 100644 --- a/src/router_core/router_core.c +++ b/src/router_core/router_core.c @@ -244,7 +244,9 @@ void qdr_core_free(qdr_core_t *core) link_work = DEQ_HEAD(link->work_list); } sys_mutex_unlock(link->conn->work_lock); - + if (link->user_context) { + qdr_link_set_context(link, 0); + } free_qdr_link_t(link); link = DEQ_HEAD(core->open_links); } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
