View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0007640GNUnetnamestore servicepublic2023-01-29 23:392024-02-29 22:46
Reporterulfvonbelow Assigned Toschanzen  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product VersionGit master 
Target Version0.19.4Fixed in Version0.19.4 
Summary0007640: Use-after-free in handle_record_result in src/namestore/namestore_api.c
DescriptionCalling either callback may cause ze to be freed. This happens in at least one test case.
Steps To Reproduce./configure --enable-sanitizer
make
make install
make check
Additional InformationPatch attached.
Tagspatch
Attached Files
0001-NAMESTORE-avoid-use-after-free-in-handle_record_resu.patch (1,405 bytes)    
From ac1537089af07b51bdae5ba9e843f4ceb46a6f96 Mon Sep 17 00:00:00 2001
From: ulfvonbelow <strilen@tilde.club>
Date: Sun, 29 Jan 2023 06:24:16 -0600
Subject: [PATCH] NAMESTORE: avoid use-after-free in handle_record_result.

---
 src/namestore/namestore_api.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/namestore/namestore_api.c b/src/namestore/namestore_api.c
index df6ba1f33..2c5efb745 100644
--- a/src/namestore/namestore_api.c
+++ b/src/namestore/namestore_api.c
@@ -619,11 +619,17 @@ handle_record_result (void *cls, const struct RecordResultMessage *msg)
     }
     if (NULL != ze)
     {
-      if (NULL != ze->proc)
-        ze->proc (ze->proc_cls, &private_key, name, rd_count, rd);
-      if (NULL != ze->proc2)
-        ze->proc2 (ze->proc_cls, &private_key, name,
-                   rd_count, rd, GNUNET_TIME_absolute_ntoh (msg->expire));
+      // Store them here because a callback could free ze
+      GNUNET_NAMESTORE_RecordMonitor proc;
+      GNUNET_NAMESTORE_RecordSetMonitor proc2;
+      void *proc_cls = ze->proc_cls;
+      proc = ze->proc;
+      proc2 = ze->proc2;
+      if (NULL != proc)
+        proc (proc_cls, &private_key, name, rd_count, rd);
+      if (NULL != proc2)
+        proc2 (proc_cls, &private_key, name,
+               rd_count, rd, GNUNET_TIME_absolute_ntoh (msg->expire));
       return;
     }
   }
-- 
2.38.1
0001-NAMESTORE-avoid-use-after-free-in-handle_record_resu.patch (1,405 bytes)   

Activities

schanzen

2023-06-01 20:26

administrator   ~0020228

released some time ago

Issue History

Date Modified Username Field Change
2023-01-29 23:39 ulfvonbelow New Issue
2023-01-29 23:39 ulfvonbelow Tag Attached: bug
2023-01-29 23:39 ulfvonbelow Tag Attached: patch
2023-01-29 23:39 ulfvonbelow File Added: 0001-NAMESTORE-avoid-use-after-free-in-handle_record_resu.patch
2023-02-06 06:04 schanzen Assigned To => schanzen
2023-02-06 06:04 schanzen Status new => resolved
2023-02-06 06:04 schanzen Resolution open => fixed
2023-02-06 06:04 schanzen Fixed in Version => 0.19.4
2023-02-06 06:19 schanzen Target Version => 0.19.4
2023-06-01 20:26 schanzen Note Added: 0020228
2023-06-01 20:26 schanzen Status resolved => closed
2024-02-29 22:46 Christian Grothoff Tag Detached: bug