vty: Avoid use-after-free in VTY telnet interface

If the read callback closes the connection conn is already freed so we can't derefernce it. Instead return -EBADFD in the read function if it closed the connection and check for that.
author: Daniel Willmann <dwillmann@sysmocom.de> 2014-05-21 15:08:19 +0200
committer: Holger Hans Peter Freyther <holger@moiji-mobile.com> 2014-06-22 16:57:22 +0200
commit: 77ab2f723ee221e0a12f9664383c578e62b7cd13 (patch)
tree: 9f139d71e8294e60e05b3f962acfed75c8089f8a /src/vty/telnet_interface.c
parent: 17aa6b25cb0b720279f5d8221de17b01398d0143 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/src/vty/telnet_interface.c b/src/vty/telnet_interface.c
index 32ab6bee..0a04d158 100644
--- a/src/vty/telnet_interface.c
+++ b/src/vty/telnet_interface.c
@@ -120,7 +120,7 @@ static int client_data(struct osmo_fd *fd, unsigned int what)
 	}
 
 	/* vty might have been closed from vithin vty_read() */
-	if (!conn->vty)
+	if (rc == -EBADFD)
 		return rc;
 
 	if (what & BSC_FD_WRITE) {
@@ -193,7 +193,6 @@ void vty_event(enum event event, int sock, struct vty *vty)
 		break;
 	case VTY_CLOSED:
 		/* vty layer is about to free() vty */
-		connection->vty = NULL;
 		telnet_close_client(bfd);
 		break;
 	default:
author	Daniel Willmann <dwillmann@sysmocom.de>	2014-05-21 15:08:19 +0200
committer	Holger Hans Peter Freyther <holger@moiji-mobile.com>	2014-06-22 16:57:22 +0200
commit	77ab2f723ee221e0a12f9664383c578e62b7cd13 (patch)
tree	9f139d71e8294e60e05b3f962acfed75c8089f8a /src/vty/telnet_interface.c
parent	17aa6b25cb0b720279f5d8221de17b01398d0143 (diff)