preflight: Prevent possible UaF if usb device is removed while preflight is in progress

The device serial number is only used by reference, however since the preflight helper
runs in a separate thread the usb device might be invalidated before the preflight operation
is complete, leading to a use-after-free when passing on the device info, followed by accessing
the device serial number. By copying the serial number this can be avoided.

1 files changed, 5 insertions, 0 deletions

diff --git a/src/preflight.c b/src/preflight.c
index f46786e..86a51cf 100644
--- a/src/preflight.c
+++ b/src/preflight.c
@@ -337,6 +337,7 @@ leave:
         if (dev)
                 idevice_free(dev);
 
+        free((char*)info->serial);
         free(info);
 
         return NULL;
@@ -353,6 +354,9 @@ void preflight_worker_device_add(struct device_info* info)
         struct device_info *infocopy = (struct device_info*)malloc(sizeof(struct device_info));
 
         memcpy(infocopy, info, sizeof(struct device_info));
+        if (info->serial) {
+                infocopy->serial = strdup(info->serial);
+        }
 
         pthread_t th;
         pthread_attr_t attr;
@@ -362,6 +366,7 @@ void preflight_worker_device_add(struct device_info* info)
 
         int perr = pthread_create(&th, &attr, preflight_worker_handle_device_add, infocopy);
         if (perr != 0) {
+                free((char*)infocopy->serial);
                 free(infocopy);
                 usbmuxd_log(LL_ERROR, "ERROR: failed to start preflight worker thread for device %s: %s (%d). Invoking client_device_add() directly but things might not work as expected.", info->serial, strerror(perr), perr);
                 client_device_add(info);