View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007637 | GNUnet | peerstore | public | 2023-01-29 22:35 | 2024-02-29 22:46 |
| Reporter | ulfvonbelow | Assigned To | schanzen | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | Git master | ||||
| Target Version | 0.19.4 | Fixed in Version | 0.19.4 | ||
| Summary | 0007637: Write-after-free in handle_iterate_end and handle_watch_record in peerstore_api.c | ||||
| Description | The callback may cause h to be freed. This happens in a test case, though I don't recall which one. If that happens, writing to h->reconnect_delay may corrupt the heap. | ||||
| Steps To Reproduce | ./configure --enable-sanitizer make make install make check | ||||
| Additional Information | Patch attached. | ||||
| Tags | patch | ||||
| Attached Files | 0001-PEERSTORE-fix-write-after-free-in-handle_-iterate_en.patch (1,538 bytes)
From b06cfc9b9dcab71878210e7541e7360f51fc72ab Mon Sep 17 00:00:00 2001
From: ulfvonbelow <strilen@tilde.club>
Date: Sun, 29 Jan 2023 06:17:52 -0600
Subject: [PATCH] PEERSTORE: fix write-after-free in
handle_{iterate_end,watch_record}
One of the tests - I forget which one, didn't write it down at the time -
actually does cause h to be freed in its callback. If this isn't supposed to
be allowed, we should find and fix that test.
---
src/peerstore/peerstore_api.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/peerstore/peerstore_api.c b/src/peerstore/peerstore_api.c
index b3e793d93..1c13369cf 100644
--- a/src/peerstore/peerstore_api.c
+++ b/src/peerstore/peerstore_api.c
@@ -608,9 +608,10 @@ handle_iterate_end (void *cls, const struct GNUNET_MessageHeader *msg)
callback_cls = ic->callback_cls;
ic->iterating = GNUNET_NO;
GNUNET_PEERSTORE_iterate_cancel (ic);
+ /* NOTE: set this here and not after callback because callback may free h */
+ h->reconnect_delay = GNUNET_TIME_UNIT_ZERO;
if (NULL != callback)
callback (callback_cls, NULL, NULL);
- h->reconnect_delay = GNUNET_TIME_UNIT_ZERO;
}
@@ -781,9 +782,9 @@ handle_watch_record (void *cls, const struct StoreRecordMessage *msg)
disconnect_and_schedule_reconnect (h);
return;
}
+ h->reconnect_delay = GNUNET_TIME_UNIT_ZERO;
if (NULL != wc->callback)
wc->callback (wc->callback_cls, record, NULL);
- h->reconnect_delay = GNUNET_TIME_UNIT_ZERO;
PEERSTORE_destroy_record (record);
}
--
2.38.1
| ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-01-29 22:35 | ulfvonbelow | New Issue | |
| 2023-01-29 22:35 | ulfvonbelow | Tag Attached: bug | |
| 2023-01-29 22:35 | ulfvonbelow | Tag Attached: patch | |
| 2023-01-29 22:35 | ulfvonbelow | File Added: 0001-PEERSTORE-fix-write-after-free-in-handle_-iterate_en.patch | |
| 2023-02-06 06:05 | schanzen | Assigned To | => schanzen |
| 2023-02-06 06:05 | schanzen | Status | new => resolved |
| 2023-02-06 06:05 | schanzen | Resolution | open => fixed |
| 2023-02-06 06:05 | schanzen | Fixed in Version | => 0.19.4 |
| 2023-02-06 06:19 | schanzen | Target Version | => 0.19.4 |
| 2023-06-01 20:26 | schanzen | Note Added: 0020230 | |
| 2023-06-01 20:26 | schanzen | Status | resolved => closed |
| 2024-02-29 22:46 | Christian Grothoff | Tag Detached: bug |
