From 8058989645e9fdb0dd13a369c2e2899016d70533 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Fri, 5 Jan 2018 20:53:20 +0100 Subject: [PATCH] fix potential use after free in tcp --- src/transport/tcp_connection_legacy.c | 9 ++++++--- src/transport/tcp_server_legacy.c | 24 ++++++++++++++---------- 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/src/transport/tcp_connection_legacy.c b/src/transport/tcp_connection_legacy.c index 5b219a467..17157436d 100644 --- a/src/transport/tcp_connection_legacy.c +++ b/src/transport/tcp_connection_legacy.c @@ -1218,8 +1218,10 @@ RETRY: * @param timeout maximum amount of time to wait * @param receiver function to call with received data * @param receiver_cls closure for @a receiver + * @return #GNUNET_SYSERR if @a connection died (receiver was + * called with error) */ -void +int GNUNET_CONNECTION_receive (struct GNUNET_CONNECTION_Handle *connection, size_t max, struct GNUNET_TIME_Relative timeout, @@ -1241,7 +1243,7 @@ GNUNET_CONNECTION_receive (struct GNUNET_CONNECTION_Handle *connection, connection->sock, &receive_ready, connection); - return; + return GNUNET_OK; } if ((NULL == connection->dns_active) && (NULL == connection->ap_head) && @@ -1252,8 +1254,9 @@ GNUNET_CONNECTION_receive (struct GNUNET_CONNECTION_Handle *connection, NULL, 0, NULL, 0, ETIMEDOUT); - return; + return GNUNET_SYSERR; } + return GNUNET_OK; } diff --git a/src/transport/tcp_server_legacy.c b/src/transport/tcp_server_legacy.c index d0ce790fc..f75b41e8c 100644 --- a/src/transport/tcp_server_legacy.c +++ b/src/transport/tcp_server_legacy.c @@ -1044,11 +1044,13 @@ process_mst (struct GNUNET_SERVER_Client *client, "Server re-enters receive loop, timeout: %s.\n", GNUNET_STRINGS_relative_time_to_string (client->idle_timeout, GNUNET_YES)); client->receive_pending = GNUNET_YES; - GNUNET_CONNECTION_receive (client->connection, - GNUNET_MAX_MESSAGE_SIZE - 1, - client->idle_timeout, - &process_incoming, - client); + if (GNUNET_OK != + GNUNET_CONNECTION_receive (client->connection, + GNUNET_MAX_MESSAGE_SIZE - 1, + client->idle_timeout, + &process_incoming, + client)) + return; break; } LOG (GNUNET_ERROR_TYPE_DEBUG, @@ -1287,11 +1289,13 @@ GNUNET_SERVER_connect_socket (struct GNUNET_SERVER_Handle *server, for (n = server->connect_notify_list_head; NULL != n; n = n->next) n->callback (n->callback_cls, client); client->receive_pending = GNUNET_YES; - GNUNET_CONNECTION_receive (client->connection, - GNUNET_MAX_MESSAGE_SIZE - 1, - client->idle_timeout, - &process_incoming, - client); + if (GNUNET_SYSERR == + GNUNET_CONNECTION_receive (client->connection, + GNUNET_MAX_MESSAGE_SIZE - 1, + client->idle_timeout, + &process_incoming, + client)) + return NULL; return client; } -- 2.25.1