diff options
author | Daniel Willmann <dwillmann@sysmocom.de> | 2014-05-21 15:08:19 +0200 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2014-06-22 16:57:22 +0200 |
commit | 77ab2f723ee221e0a12f9664383c578e62b7cd13 (patch) | |
tree | 9f139d71e8294e60e05b3f962acfed75c8089f8a /src/vty/telnet_interface.c | |
parent | 17aa6b25cb0b720279f5d8221de17b01398d0143 (diff) |
vty: Avoid use-after-free in VTY telnet interface
If the read callback closes the connection conn is already freed so we
can't derefernce it. Instead return -EBADFD in the read function if it
closed the connection and check for that.
Diffstat (limited to 'src/vty/telnet_interface.c')
-rw-r--r-- | src/vty/telnet_interface.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/src/vty/telnet_interface.c b/src/vty/telnet_interface.c index 32ab6bee..0a04d158 100644 --- a/src/vty/telnet_interface.c +++ b/src/vty/telnet_interface.c @@ -120,7 +120,7 @@ static int client_data(struct osmo_fd *fd, unsigned int what) } /* vty might have been closed from vithin vty_read() */ - if (!conn->vty) + if (rc == -EBADFD) return rc; if (what & BSC_FD_WRITE) { @@ -193,7 +193,6 @@ void vty_event(enum event event, int sock, struct vty *vty) break; case VTY_CLOSED: /* vty layer is about to free() vty */ - connection->vty = NULL; telnet_close_client(bfd); break; default: |