]> git.proxmox.com Git - mirror_kronosnet.git/commitdiff
projects / mirror_kronosnet.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 78d00c8)
[transports] fix usage after free of transport info memory
authorFabio M. Di Nitto <fdinitto@redhat.com>
Sun, 24 Mar 2019 06:29:57 +0000 (07:29 +0100)
committerFabio M. Di Nitto <fdinitto@redhat.com>
Mon, 25 Mar 2019 13:24:19 +0000 (14:24 +0100)
spotted while implementing functional testing for rekey.

when configuring multiple hosts (3+) with 1 link sharing
the same listener, but NOT enabling the link, if the user
attempts to shutdown knet_h, the first call to knet_link_clear_config
will not recognize that the listener is still in use by another
link and will release all resources.
At the time of invoking clear_config on the second link, transport_clear_config
will access already freed memory, or alternatively, a call to
link_enable would cause a crash because the listener does no
longer exist.

Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
libknet/transport_sctp.c patch | blob | blame | history
libknet/transport_udp.c patch | blob | blame | history

diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
index 4defc13014861c3e44c90b6332dead24eab710cc..e7e3629d4cf62b36fd2ce867fab3d7e33c409d14 100644 (file)
--- a/libknet/transport_sctp.c
+++ b/libknet/transport_sctp.c
@@ -1069,8 +1069,7 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
 
                        link_info = host->link[link_idx].transport_link;
                        if ((link_info) &&
-                           (link_info->listener == info) &&
-                           (host->link[link_idx].status.enabled == 1)) {
+                           (link_info->listener == info)) {
                                found = 1;
                                break;
                        }
diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c
index a281ac9a6c1a4bfd4d93808f77fa697f4f80cd06..7eba891061268e9ee187bd50b3cbdde7c8810cd1 100644 (file)
--- a/libknet/transport_udp.c
+++ b/libknet/transport_udp.c
@@ -186,8 +186,7 @@ int udp_transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_l
                        if (&host->link[link_idx] == kn_link)
                                continue;
 
-                       if ((host->link[link_idx].transport_link == info) &&
-                           (host->link[link_idx].status.enabled == 1)) {
+                       if (host->link[link_idx].transport_link == info) {
                                found = 1;
                                break;
                        }
kronosnet mirror