trxcon: Fix heap-use-after-free in l1ctl_client

If the peer connected to trxcon restarts the process, read() on the unix socket in trxcon fails, and triggers closing the conn (l1ctl_client), which ends up freeing the struct. This all happens during read_cb() of the l1ctl_client wqueue. If the kernel also flags WRITE event in the same main loop iteration, the wqueue code would end up using the freed struct again when running the write_cb. Make sure the read_cb returns -EBADF in the code branch closing the conn in read_cb, since it makes no sense to handle a write_cb after that. This saves the code from accessing the potentially freed struct. Related: OS#5872 Change-Id: I100a8ba056a09b4e52675e3539640da0c0f8d837
author: Pau Espin Pedrol <pespin@sysmocom.de> 2023-01-30 18:19:39 +0100
committer: Pau Espin Pedrol <pespin@sysmocom.de> 2023-01-30 18:23:55 +0100
commit: 2b11e9e97dae5fdffc12c309cd1e14eabfeb4ced (patch)
tree: e1d634182cdd3156595214c646d78f8356d98284
parent: c9cc4c305de63e794956d0f70980b6f66a3b9103 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/host/trxcon/src/l1ctl_server.c b/src/host/trxcon/src/l1ctl_server.c
index bfbd9976..c0f10158 100644
--- a/src/host/trxcon/src/l1ctl_server.c
+++ b/src/host/trxcon/src/l1ctl_server.c
@@ -61,7 +61,7 @@ static int l1ctl_client_read_cb(struct osmo_fd *ofd)
 			rc = -EIO;
 		}
 		l1ctl_client_conn_close(client);
-		return rc;
+		return -EBADF; /* client fd is gone, avoid processing any other events. */
 	}
 
 	/* Check message length */
author	Pau Espin Pedrol <pespin@sysmocom.de>	2023-01-30 18:19:39 +0100
committer	Pau Espin Pedrol <pespin@sysmocom.de>	2023-01-30 18:23:55 +0100
commit	2b11e9e97dae5fdffc12c309cd1e14eabfeb4ced (patch)
tree	e1d634182cdd3156595214c646d78f8356d98284
parent	c9cc4c305de63e794956d0f70980b6f66a3b9103 (diff)