From c66678018c1f111bb361c8f2069c67c725ec9e1c Mon Sep 17 00:00:00 2001
From: Gabriel Jeanneau <gabriel.jeanneau@6wind.com>
Date: Mon, 17 Jan 2022 15:18:27 +0100
Subject: triton: fix use after free in timer.c

When using pppd_compat module, accel-ppp crash with SIGBUS on
spin_lock(&t->ctx->lock) of timer_thread.

When a moduile call triton_timer_del, fd are close without taking into
account epoll function and without removing from polled fd list.

File descriptor are removed from polled fd list and then close in
timer_thread avoiding use after free.

Fixes: 5bac5a2edb7b ("rewriting triton library...")
Signed-off-by: Gabriel Jeanneau <gabriel.jeanneau@6wind.com>
---
 accel-pppd/triton/timer.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/accel-pppd/triton/timer.c b/accel-pppd/triton/timer.c
index 744b10b..5b5d953 100644
--- a/accel-pppd/triton/timer.c
+++ b/accel-pppd/triton/timer.c
@@ -108,6 +108,8 @@ void *timer_thread(void *arg)
 
 		while (!list_empty(&freed_list2)) {
 			t = list_entry(freed_list2.next, typeof(*t), entry);
+			epoll_ctl(epoll_fd,EPOLL_CTL_DEL, t->fd, &t->epoll_event);
+			close(t->fd);
 			list_del(&t->entry);
 			triton_context_release(t->ctx);
 			mempool_free(t);
@@ -199,8 +201,6 @@ void __export triton_timer_del(struct triton_timer_t *ud)
 {
 	struct _triton_timer_t *t = (struct _triton_timer_t *)ud->tpd;
 
-	close(t->fd);
-
 	spin_lock(&t->ctx->lock);
 	t->ud = NULL;
 	list_del(&t->entry);
-- 
cgit v1.2.3