From 77ab2f723ee221e0a12f9664383c578e62b7cd13 Mon Sep 17 00:00:00 2001
From: Daniel Willmann <dwillmann@sysmocom.de>
Date: Wed, 21 May 2014 15:08:19 +0200
Subject: vty: Avoid use-after-free in VTY telnet interface

If the read callback closes the connection conn is already freed so we
can't derefernce it. Instead return -EBADFD in the read function if it
closed the connection and check for that.
---
 src/vty/telnet_interface.c | 3 +--
 src/vty/vty.c              | 5 +++--
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/vty')

diff --git a/src/vty/telnet_interface.c b/src/vty/telnet_interface.c
index 32ab6bee..0a04d158 100644
--- a/src/vty/telnet_interface.c
+++ b/src/vty/telnet_interface.c
@@ -120,7 +120,7 @@ static int client_data(struct osmo_fd *fd, unsigned int what)
 	}
 
 	/* vty might have been closed from vithin vty_read() */
-	if (!conn->vty)
+	if (rc == -EBADFD)
 		return rc;
 
 	if (what & BSC_FD_WRITE) {
@@ -193,7 +193,6 @@ void vty_event(enum event event, int sock, struct vty *vty)
 		break;
 	case VTY_CLOSED:
 		/* vty layer is about to free() vty */
-		connection->vty = NULL;
 		telnet_close_client(bfd);
 		break;
 	default:
diff --git a/src/vty/vty.c b/src/vty/vty.c
index 8bfc35cd..fc86bdf3 100644
--- a/src/vty/vty.c
+++ b/src/vty/vty.c
@@ -1432,9 +1432,10 @@ int vty_read(struct vty *vty)
 	}
 
 	/* Check status. */
-	if (vty->status == VTY_CLOSE)
+	if (vty->status == VTY_CLOSE) {
 		vty_close(vty);
-	else {
+		return -EBADFD;
+	} else {
 		vty_event(VTY_WRITE, vty_sock, vty);
 		vty_event(VTY_READ, vty_sock, vty);
 	}
-- 
cgit v1.2.3