diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2023-01-30 18:19:39 +0100 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2023-01-30 18:23:55 +0100 |
commit | 2b11e9e97dae5fdffc12c309cd1e14eabfeb4ced (patch) | |
tree | e1d634182cdd3156595214c646d78f8356d98284 /src/host/layer23/src/modem/app_modem.c | |
parent | c9cc4c305de63e794956d0f70980b6f66a3b9103 (diff) |
trxcon: Fix heap-use-after-free in l1ctl_client
If the peer connected to trxcon restarts the process, read() on the unix
socket in trxcon fails, and triggers closing the conn (l1ctl_client),
which ends up freeing the struct. This all happens during read_cb() of
the l1ctl_client wqueue. If the kernel also flags WRITE event in the
same main loop iteration, the wqueue code would end up using the freed
struct again when running the write_cb.
Make sure the read_cb returns -EBADF in the code branch closing the conn
in read_cb, since it makes no sense to handle a write_cb after that.
This saves the code from accessing the potentially freed struct.
Related: OS#5872
Change-Id: I100a8ba056a09b4e52675e3539640da0c0f8d837
Diffstat (limited to 'src/host/layer23/src/modem/app_modem.c')
0 files changed, 0 insertions, 0 deletions