diff options
author | Guillaume Nault <g.nault@alphalink.fr> | 2014-02-06 17:19:25 +0100 |
---|---|---|
committer | Dmitry Kozlov <xeb@mail.ru> | 2014-02-08 09:30:59 +0400 |
commit | 1744cf7d08f80e6d91423642b8c3b77d73b7321d (patch) | |
tree | 64bac209592934d45c5daec261808641e36e3472 | |
parent | 8cac531ce9580b8fa6a6f4e54ad15c16a69d1d48 (diff) | |
download | accel-ppp-xebd-1744cf7d08f80e6d91423642b8c3b77d73b7321d.tar.gz accel-ppp-xebd-1744cf7d08f80e6d91423642b8c3b77d73b7321d.zip |
l2tp: Fix potential use after free by tunnel context thread
A triton context handler may not unregister itself while executed by
the context thread, unless it returns -1 (otherwise the md thread may
free the handler before the context thread stops using it).
So l2tp_conn_read() must return -1 after calling l2tp_tunnel_free()
(the md handler associated to l2tp_conn_read() may be unregistered
by l2tp_tunnel_free()).
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
-rw-r--r-- | accel-pppd/ctrl/l2tp/l2tp.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/accel-pppd/ctrl/l2tp/l2tp.c b/accel-pppd/ctrl/l2tp/l2tp.c index ee28598..26d6c14 100644 --- a/accel-pppd/ctrl/l2tp/l2tp.c +++ b/accel-pppd/ctrl/l2tp/l2tp.c @@ -3307,6 +3307,8 @@ static int l2tp_conn_read(struct triton_md_handler_t *h) "peer is unreachable," " disconnecting tunnel\n"); l2tp_tunnel_free(conn); + + return -1; } return 0; } |