summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGuillaume Nault <g.nault@alphalink.fr>2014-02-06 17:19:25 +0100
committerDmitry Kozlov <xeb@mail.ru>2014-02-08 09:30:59 +0400
commit1744cf7d08f80e6d91423642b8c3b77d73b7321d (patch)
tree64bac209592934d45c5daec261808641e36e3472
parent8cac531ce9580b8fa6a6f4e54ad15c16a69d1d48 (diff)
downloadaccel-ppp-xebd-1744cf7d08f80e6d91423642b8c3b77d73b7321d.tar.gz
accel-ppp-xebd-1744cf7d08f80e6d91423642b8c3b77d73b7321d.zip
l2tp: Fix potential use after free by tunnel context thread
A triton context handler may not unregister itself while executed by the context thread, unless it returns -1 (otherwise the md thread may free the handler before the context thread stops using it). So l2tp_conn_read() must return -1 after calling l2tp_tunnel_free() (the md handler associated to l2tp_conn_read() may be unregistered by l2tp_tunnel_free()). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
-rw-r--r--accel-pppd/ctrl/l2tp/l2tp.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/accel-pppd/ctrl/l2tp/l2tp.c b/accel-pppd/ctrl/l2tp/l2tp.c
index ee28598..26d6c14 100644
--- a/accel-pppd/ctrl/l2tp/l2tp.c
+++ b/accel-pppd/ctrl/l2tp/l2tp.c
@@ -3307,6 +3307,8 @@ static int l2tp_conn_read(struct triton_md_handler_t *h)
"peer is unreachable,"
" disconnecting tunnel\n");
l2tp_tunnel_free(conn);
+
+ return -1;
}
return 0;
}