dlt-daemon: Fix use after free potential issue

In dlt_daemon_send_all_multiple, if the connection was broken, we closed
it before getting the next available connection. This must be avoided by
having a temporary next pointer.
The same kind of problem is valid for pointers coming from the epoll
interface. The kernel can provide back connection pointer that are not
valid any longer. Therefore, we need to use an ID instead of the pointer
value to retrieve the connections.

Signed-off-by: Frederic Berat <fberat@de.adit-jv.com>
Signed-off-by: Christoph Lipka <clipka@jp.adit-jv.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/src/daemon/dlt_daemon_connection.c b/src/daemon/dlt_daemon_connection.c
index b22f4b7..8d2aa67 100644
--- a/src/daemon/dlt_daemon_connection.c
+++ b/src/daemon/dlt_daemon_connection.c
@@ -47,6 +47,8 @@
 #include "dlt_common.h"
 #include "dlt_gateway.h"
 
+static DltConnectionId connectionId;
+
 /** @brief Generic sending function.
  *
  * We manage different type of connection which have similar send/write
@@ -319,6 +321,7 @@ void *dlt_connection_get_callback(DltConnection *con)
  */
 void dlt_connection_destroy(DltConnection *to_destroy)
 {
+    to_destroy->id = 0;
     close(to_destroy->receiver->fd);
     dlt_connection_destroy_receiver(to_destroy);
     /* connection pointer might be in epoll queue and used even after destroying
@@ -388,6 +391,14 @@ int dlt_connection_create(DltDaemonLocal *daemon_local,
         return -1;
     }
 
+    /* We are single threaded no need for protection. */
+    temp->id = connectionId++;
+    if (!temp->id)
+    {
+        /* Skipping 0 */
+        temp->id = connectionId++;
+    }
+
     temp->type = type;
     temp->status = ACTIVE;