summaryrefslogtreecommitdiffstats
path: root/src/vty
diff options
context:
space:
mode:
authorDaniel Willmann <dwillmann@sysmocom.de>2014-05-21 15:08:19 +0200
committerHolger Hans Peter Freyther <holger@moiji-mobile.com>2014-06-22 16:57:22 +0200
commit77ab2f723ee221e0a12f9664383c578e62b7cd13 (patch)
tree9f139d71e8294e60e05b3f962acfed75c8089f8a /src/vty
parent17aa6b25cb0b720279f5d8221de17b01398d0143 (diff)
vty: Avoid use-after-free in VTY telnet interface
If the read callback closes the connection conn is already freed so we can't derefernce it. Instead return -EBADFD in the read function if it closed the connection and check for that.
Diffstat (limited to 'src/vty')
-rw-r--r--src/vty/telnet_interface.c3
-rw-r--r--src/vty/vty.c5
2 files changed, 4 insertions, 4 deletions
diff --git a/src/vty/telnet_interface.c b/src/vty/telnet_interface.c
index 32ab6bee..0a04d158 100644
--- a/src/vty/telnet_interface.c
+++ b/src/vty/telnet_interface.c
@@ -120,7 +120,7 @@ static int client_data(struct osmo_fd *fd, unsigned int what)
}
/* vty might have been closed from vithin vty_read() */
- if (!conn->vty)
+ if (rc == -EBADFD)
return rc;
if (what & BSC_FD_WRITE) {
@@ -193,7 +193,6 @@ void vty_event(enum event event, int sock, struct vty *vty)
break;
case VTY_CLOSED:
/* vty layer is about to free() vty */
- connection->vty = NULL;
telnet_close_client(bfd);
break;
default:
diff --git a/src/vty/vty.c b/src/vty/vty.c
index 8bfc35cd..fc86bdf3 100644
--- a/src/vty/vty.c
+++ b/src/vty/vty.c
@@ -1432,9 +1432,10 @@ int vty_read(struct vty *vty)
}
/* Check status. */
- if (vty->status == VTY_CLOSE)
+ if (vty->status == VTY_CLOSE) {
vty_close(vty);
- else {
+ return -EBADFD;
+ } else {
vty_event(VTY_WRITE, vty_sock, vty);
vty_event(VTY_READ, vty_sock, vty);
}