From a9ca6afa22fe52d048059a2e63f60a97e87747fa Mon Sep 17 00:00:00 2001 From: "Fabio M. Di Nitto" Date: Sun, 24 Mar 2019 07:29:57 +0100 Subject: [PATCH] [transports] fix usage after free of transport info memory spotted while implementing functional testing for rekey. when configuring multiple hosts (3+) with 1 link sharing the same listener, but NOT enabling the link, if the user attempts to shutdown knet_h, the first call to knet_link_clear_config will not recognize that the listener is still in use by another link and will release all resources. At the time of invoking clear_config on the second link, transport_clear_config will access already freed memory, or alternatively, a call to link_enable would cause a crash because the listener does no longer exist. Signed-off-by: Fabio M. Di Nitto --- libknet/transport_sctp.c | 3 +-- libknet/transport_udp.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c index 83fc359..5bf898c 100644 --- a/libknet/transport_sctp.c +++ b/libknet/transport_sctp.c @@ -1043,8 +1043,7 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li link_info = host->link[link_idx].transport_link; if ((link_info) && - (link_info->listener == info) && - (host->link[link_idx].status.enabled == 1)) { + (link_info->listener == info)) { found = 1; break; } diff --git a/libknet/transport_udp.c b/libknet/transport_udp.c index 3144502..3b7b8d1 100644 --- a/libknet/transport_udp.c +++ b/libknet/transport_udp.c @@ -186,8 +186,7 @@ int udp_transport_link_clear_config(knet_handle_t knet_h, struct knet_link *kn_l if (&host->link[link_idx] == kn_link) continue; - if ((host->link[link_idx].transport_link == info) && - (host->link[link_idx].status.enabled == 1)) { + if (host->link[link_idx].transport_link == info) { found = 1; break; } -- 2.39.5