diff options
| author | Kyuwon Shim <kyuwon.shim@alliedtelesis.co.nz> | 2023-03-09 14:24:47 +1300 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2023-03-20 23:07:38 +0100 |
| commit | 61fc904e36c1d3309829eaa8736d27477208aded (patch) | |
| tree | 03b66f402607a163d24e2193f841c14d936ae6fe /configure.ac | |
| parent | 524ce20b55a2793d380fc1e4b415b1ea5a9512b1 (diff) | |
ulogd2: avoid use after free in unregister on global ulogd_fds linked list
Invalid read of size 4
at 0x405F60: ulogd_unregister_fd (select.c:74)
by 0x4E4E3DF: ??? (in /usr/lib/ulogd/ulogd_inppkt_NFLOG.so)
by 0x405003: stop_pluginstances (ulogd.c:1335)
by 0x405003: sigterm_handler_task (ulogd.c:1383)
by 0x405153: call_signal_handler_tasks (ulogd.c:424)
by 0x405153: signal_channel_callback (ulogd.c:443)
by 0x406163: ulogd_select_main (select.c:105)
by 0x403CF3: ulogd_main_loop (ulogd.c:1070)
by 0x403CF3: main (ulogd.c:1649)
Problem is that ulogd_inppkt_NFLOG.c::stop() calls ulogd_unregister_fd()
which does llist_del(). This llist_del may touch ->prev pointer.
As the list element is in private data, we cannot do this llist_del
from stop_pluginstances().
Therefore, the free() process moved location after finishing ulogd_unregister_fd().
Signed-off-by: Kyuwon Shim <kyuwon.shim@alliedtelesis.co.nz>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'configure.ac')
0 files changed, 0 insertions, 0 deletions