From 1744cf7d08f80e6d91423642b8c3b77d73b7321d Mon Sep 17 00:00:00 2001
From: Guillaume Nault <g.nault@alphalink.fr>
Date: Thu, 6 Feb 2014 17:19:25 +0100
Subject: l2tp: Fix potential use after free by tunnel context thread

A triton context handler may not unregister itself while executed by
the context thread, unless it returns -1 (otherwise the md thread may
free the handler before the context thread stops using it).
So l2tp_conn_read() must return -1 after calling l2tp_tunnel_free()
(the md handler associated to l2tp_conn_read() may be unregistered
by l2tp_tunnel_free()).

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 accel-pppd/ctrl/l2tp/l2tp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/accel-pppd/ctrl/l2tp/l2tp.c b/accel-pppd/ctrl/l2tp/l2tp.c
index ee28598c..26d6c144 100644
--- a/accel-pppd/ctrl/l2tp/l2tp.c
+++ b/accel-pppd/ctrl/l2tp/l2tp.c
@@ -3307,6 +3307,8 @@ static int l2tp_conn_read(struct triton_md_handler_t *h)
 					   "peer is unreachable,"
 					   " disconnecting tunnel\n");
 				l2tp_tunnel_free(conn);
+
+				return -1;
 			}
 			return 0;
 		}
-- 
cgit v1.2.3