client: Prevent UaF in client_close() by checking if client is valid

author: Nikias Bassen 2020-08-02 01:32:43 +0200
committer: Nikias Bassen 2020-08-02 01:32:43 +0200
commit: 540e0c1fb988b926b625618c8bf31c8311f37e19 (patch)
tree: ca69e26edf014751a92e1eb0302951a6382c93a9 /src
parent: efa547103b619e62c7e41a305e5429055dcea370 (diff)
download: usbmuxd-540e0c1fb988b926b625618c8bf31c8311f37e19.tar.gz
usbmuxd-540e0c1fb988b926b625618c8bf31c8311f37e19.tar.bz2
1 files changed, 14 insertions, 1 deletions
diff --git a/src/client.c b/src/client.c
index 52e569d..7395046 100644
--- a/src/client.c
+++ b/src/client.c
@@ -251,6 +251,20 @@ int client_accept(int listenfd)
 void client_close(struct mux_client *client)
 {
+        int found = 0;
+        pthread_mutex_lock(&client_list_mutex);
+        FOREACH(struct mux_client *lc, &client_list) {
+                if (client == lc) {
+                        found = 1;
+                        break;
+                }
+        } ENDFOREACH
+        if (!found) {
+                // in case we get called again but client was already freed
+                usbmuxd_log(LL_DEBUG, "%s: ignoring for non-existing client %p", __func__, client);
+                pthread_mutex_unlock(&client_list_mutex);
+                return;
+        }
 #ifdef SO_PEERCRED
        if (log_level >= LL_INFO) {
                struct ucred cr;
@@ -278,7 +292,6 @@ void client_close(struct mux_client *client)
        free(client->ib_buf);
        plist_free(client->info);
-        pthread_mutex_lock(&client_list_mutex);
        collection_remove(&client_list, client);
        pthread_mutex_unlock(&client_list_mutex);
        free(client);
author	Nikias Bassen	2020-08-02 01:32:43 +0200
committer	Nikias Bassen	2020-08-02 01:32:43 +0200
commit	540e0c1fb988b926b625618c8bf31c8311f37e19 (patch)
tree	ca69e26edf014751a92e1eb0302951a6382c93a9 /src
parent	efa547103b619e62c7e41a305e5429055dcea370 (diff)
download	usbmuxd-540e0c1fb988b926b625618c8bf31c8311f37e19.tar.gz usbmuxd-540e0c1fb988b926b625618c8bf31c8311f37e19.tar.bz2

diff --git a/src/client.c b/src/client.c index 52e569d..7395046 100644 --- a/src/client.c +++ b/src/client.c
@@ -251,6 +251,20 @@ int client_accept(int listenfd)
251		251
252	void client_close(struct mux_client *client)	252	void client_close(struct mux_client *client)
253	{	253	{
		254	int found = 0;
		255	pthread_mutex_lock(&client_list_mutex);
		256	FOREACH(struct mux_client *lc, &client_list) {
		257	if (client == lc) {
		258	found = 1;
		259	break;
		260	}
		261	} ENDFOREACH
		262	if (!found) {
		263	// in case we get called again but client was already freed
		264	usbmuxd_log(LL_DEBUG, "%s: ignoring for non-existing client %p", __func__, client);
		265	pthread_mutex_unlock(&client_list_mutex);
		266	return;
		267	}
254	#ifdef SO_PEERCRED	268	#ifdef SO_PEERCRED
255	if (log_level >= LL_INFO) {	269	if (log_level >= LL_INFO) {
256	struct ucred cr;	270	struct ucred cr;
@@ -278,7 +292,6 @@ void client_close(struct mux_client *client)
278	free(client->ib_buf);	292	free(client->ib_buf);
279	plist_free(client->info);	293	plist_free(client->info);
280		294
281	pthread_mutex_lock(&client_list_mutex);
282	collection_remove(&client_list, client);	295	collection_remove(&client_list, client);
283	pthread_mutex_unlock(&client_list_mutex);	296	pthread_mutex_unlock(&client_list_mutex);
284	free(client);	297	free(client);