pespin has uploaded this change for review. (
https://gerrit.osmocom.org/c/libosmo-netif/+/38975?usp=email )
Change subject: stream_cli: steal talloc ctx upon delaying free to avoid use
after free
......................................................................
stream_cli: steal talloc ctx upon delaying free to avoid use after free
Scenario:
read_cb()
[user code] osmo_stream_cli_destroy()
stream_cli_close()
disconnect_cb()
(free is delayed because we are in cb)
[user code] (frees parent struct of "cli", which would free cli)
free_delayed_if_needed() called on an already freed poiter
Fixes: a6af7cb9dce9d4567d355bad873c60be68896eee
Related: OS#6651
Change-Id: Id7625558d4b1343d621fb51406fa7f841db864ee
---
M src/stream_cli.c
1 file changed, 5 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/libosmo-netif refs/changes/75/38975/1
diff --git a/src/stream_cli.c b/src/stream_cli.c
index 89681b0..2c1b00d 100644
--- a/src/stream_cli.c
+++ b/src/stream_cli.c
@@ -974,6 +974,11 @@
if (cli->in_cb_mask != 0) {
LOGSCLI(cli, LOGL_DEBUG, "delay free() in_cb_mask=0x%02x\n",
cli->in_cb_mask);
cli->delay_free = true;
+ /* Move ptr to avoid double free if parent ctx of cli is freed
+ * meanwhile (eg. during user callback after calling
+ * osmo_stream_client_destroy() and before returning from user
+ * callback. */
+ talloc_steal(OTC_GLOBAL, cli);
} else {
LOGSCLI(cli, LOGL_DEBUG, "free(destroy)\n");
talloc_free(cli);
--
To view, visit https://gerrit.osmocom.org/c/libosmo-netif/+/38975?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: libosmo-netif
Gerrit-Branch: master
Gerrit-Change-Id: Id7625558d4b1343d621fb51406fa7f841db864ee
Gerrit-Change-Number: 38975
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <[email protected]>
