diff options
author | Rusty Russell <rusty@rustcorp.com.au> | 2009-12-02 08:57:42 +1030 |
---|---|---|
committer | Ronnie Sahlberg <ronniesahlberg@gmail.com> | 2009-12-02 11:27:23 +1100 |
commit | 9e84872ecd736454fd6f3ff620c733bf5066e4f3 (patch) | |
tree | aae218e19deee3010c7ade699debff5d50cf46f3 /ctdb/common/ctdb_io.c | |
parent | 6f045cad29623bcfbd62537c557c3d29eb8ca11d (diff) | |
download | samba-9e84872ecd736454fd6f3ff620c733bf5066e4f3.tar.gz samba-9e84872ecd736454fd6f3ff620c733bf5066e4f3.tar.xz samba-9e84872ecd736454fd6f3ff620c733bf5066e4f3.zip |
ctdb_io: fix use-after-free on invalid packets
Wolfgang saw a talloc complaint about using freed memory in ctdb_tcp_read_cb.
His fix was to remove the talloc_free() in that function, which causes
loops when a socket is closed (as it does not get removed from the event
system), eg:
netcat 192.168.1.2 4379 < /dev/null
The real bug is that when we have more than one pending packet in the
queue, we loop calling the callback without any safeguards should that
callback free the queue (as it tends to do on invalid packets). This
can be reproduced by sending more than one bogus packet at once:
# Length word at start: 4 == empty packet (assumed little endian)
/usr/bin/printf \\4\\0\\0\\0\\4\\0\\0\\0 > /tmp/pkt
netcat 192.168.1.2 4379 < /tmp/pkt
Using a destructor we can check if the callback frees us, and exit
immediately. Elsewhere, we return after the callback anyway.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
(This used to be ctdb commit 4d0523dd94fb07e860b3e8118691f93d1ef8d0fa)
Diffstat (limited to 'ctdb/common/ctdb_io.c')
-rw-r--r-- | ctdb/common/ctdb_io.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/ctdb/common/ctdb_io.c b/ctdb/common/ctdb_io.c index 99180ce926..28830d5f37 100644 --- a/ctdb/common/ctdb_io.c +++ b/ctdb/common/ctdb_io.c @@ -52,6 +52,7 @@ struct ctdb_queue { size_t alignment; void *private_data; ctdb_queue_cb_fn_t callback; + bool *destroyed; }; @@ -114,6 +115,8 @@ static void queue_io_read(struct ctdb_queue *queue) /* we have at least one packet */ uint8_t *d2; uint32_t len; + bool destroyed = false; + len = *(uint32_t *)data; if (len == 0) { /* bad packet! treat as EOF */ @@ -126,7 +129,15 @@ static void queue_io_read(struct ctdb_queue *queue) /* sigh */ goto failed; } + + queue->destroyed = &destroyed; queue->callback(d2, len, queue->private_data); + /* If callback freed us, don't do anything else. */ + if (destroyed) { + return; + } + queue->destroyed = NULL; + data += len; nread -= len; } @@ -337,7 +348,13 @@ int ctdb_queue_set_fd(struct ctdb_queue *queue, int fd) return 0; } - +/* If someone sets up this pointer, they want to know if the queue is freed */ +static int queue_destructor(struct ctdb_queue *queue) +{ + if (queue->destroyed != NULL) + *queue->destroyed = true; + return 0; +} /* setup a packet queue on a socket @@ -364,6 +381,7 @@ struct ctdb_queue *ctdb_queue_setup(struct ctdb_context *ctdb, return NULL; } } + talloc_set_destructor(queue, queue_destructor); return queue; } |