diff options
| author | Gabriel Jeanneau <gabriel.jeanneau@6wind.com> | 2022-01-17 15:18:27 +0100 |
|---|---|---|
| committer | Stéphane Gonauer <stephane.gonauer@6wind.com> | 2022-03-04 13:12:58 +0100 |
| commit | c66678018c1f111bb361c8f2069c67c725ec9e1c (patch) | |
| tree | 55f4f0b1dfe5530ebfdb632849664ee7dc3b58e9 /accel-pppd | |
| parent | 57d5aa43123b8a8243e8e8e6971597afe352f9ed (diff) | |
| download | accel-ppp-c66678018c1f111bb361c8f2069c67c725ec9e1c.tar.gz accel-ppp-c66678018c1f111bb361c8f2069c67c725ec9e1c.zip | |
triton: fix use after free in timer.c
When using pppd_compat module, accel-ppp crash with SIGBUS on
spin_lock(&t->ctx->lock) of timer_thread.
When a moduile call triton_timer_del, fd are close without taking into
account epoll function and without removing from polled fd list.
File descriptor are removed from polled fd list and then close in
timer_thread avoiding use after free.
Fixes: 5bac5a2edb7b ("rewriting triton library...")
Signed-off-by: Gabriel Jeanneau <gabriel.jeanneau@6wind.com>
Diffstat (limited to 'accel-pppd')
| -rw-r--r-- | accel-pppd/triton/timer.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/accel-pppd/triton/timer.c b/accel-pppd/triton/timer.c index 744b10b..5b5d953 100644 --- a/accel-pppd/triton/timer.c +++ b/accel-pppd/triton/timer.c @@ -108,6 +108,8 @@ void *timer_thread(void *arg) while (!list_empty(&freed_list2)) { t = list_entry(freed_list2.next, typeof(*t), entry); + epoll_ctl(epoll_fd,EPOLL_CTL_DEL, t->fd, &t->epoll_event); + close(t->fd); list_del(&t->entry); triton_context_release(t->ctx); mempool_free(t); @@ -199,8 +201,6 @@ void __export triton_timer_del(struct triton_timer_t *ud) { struct _triton_timer_t *t = (struct _triton_timer_t *)ud->tpd; - close(t->fd); - spin_lock(&t->ctx->lock); t->ud = NULL; list_del(&t->entry); |