From 6aa4b6961c0f851d0406690d04991c34fe643cb4 Mon Sep 17 00:00:00 2001
From: Daniel Willmann <dwillmann@sysmocom.de>
Date: Thu, 2 Mar 2023 16:51:59 +0100
Subject: ipa-stream-server: Return -EBADF in read_cb after
 osmo_stream_srv_destroy()

This fixes a potential heap-use-after-free error.
When there is still data to be written the osmo_stream_srv_cb() will
call osmo_stream_srv_write() which will try to dereference conn even
though it has already been freed.

Change-Id: I5ac1920b8d4ce3b0205f00d253e7ed878fb745e3
---
 examples/ipa-stream-server.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'examples')

diff --git a/examples/ipa-stream-server.c b/examples/ipa-stream-server.c
index c311697..1ca1aaf 100644
--- a/examples/ipa-stream-server.c
+++ b/examples/ipa-stream-server.c
@@ -1,4 +1,5 @@
 /* IPA stream srv example */
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -61,7 +62,7 @@ int read_cb(struct osmo_stream_srv *conn)
 		LOGP(DSTREAMTEST, LOGL_ERROR, "cannot receive message\n");
 		osmo_stream_srv_destroy(conn);
 		msgb_free(msg);
-		return 0;
+		return -EBADF;
 	}
 	if (osmo_ipa_process_msg(msg) < 0) {
 		LOGP(DSTREAMTEST, LOGL_ERROR, "Bad IPA message\n");
-- 
cgit v1.2.3