diff options
| author | Frederic Berat <fberat@de.adit-jv.com> | 2017-01-17 11:37:27 +0100 |
|---|---|---|
| committer | Christoph Lipka <clipka@jp.adit-jv.com> | 2017-02-01 12:14:55 +0900 |
| commit | 0ce6e68d8835b13aa6be52ffdf2d81e1170a3834 (patch) | |
| tree | a61dd79be59d2346be0c3614ed1f062f1ca147e2 /src/daemon/dlt_daemon_client.c | |
| parent | 03dce720baf91ff67eb82431f8d6ad24b4f4d657 (diff) | |
| download | DLT-daemon-0ce6e68d8835b13aa6be52ffdf2d81e1170a3834.tar.gz | |
dlt-daemon: Fix use after free potential issue
In dlt_daemon_send_all_multiple, if the connection was broken, we closed
it before getting the next available connection. This must be avoided by
having a temporary next pointer.
The same kind of problem is valid for pointers coming from the epoll
interface. The kernel can provide back connection pointer that are not
valid any longer. Therefore, we need to use an ID instead of the pointer
value to retrieve the connections.
Signed-off-by: Frederic Berat <fberat@de.adit-jv.com>
Signed-off-by: Christoph Lipka <clipka@jp.adit-jv.com>
Diffstat (limited to 'src/daemon/dlt_daemon_client.c')
| -rw-r--r-- | src/daemon/dlt_daemon_client.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/daemon/dlt_daemon_client.c b/src/daemon/dlt_daemon_client.c index e605bd5..84ffd5d 100644 --- a/src/daemon/dlt_daemon_client.c +++ b/src/daemon/dlt_daemon_client.c @@ -133,6 +133,8 @@ static int dlt_daemon_client_send_all_multiple(DltDaemon *daemon, { int ret = 0; DLT_DAEMON_SEM_LOCK(); + DltConnection *next = dlt_connection_get_next(temp->next, type_mask); + ret = dlt_connection_send_multiple(temp, data1, size1, @@ -166,7 +168,7 @@ static int dlt_daemon_client_send_all_multiple(DltDaemon *daemon, sent = 1; } - temp = dlt_connection_get_next(temp->next, type_mask); + temp = next; } /* for */ return sent; |