From 7a1110f5c13e7249062da952e1ac4de1b56d4a4e Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Mon, 7 Oct 2019 21:19:48 +0200
Subject: preflight: Prevent possible UaF if usb device is removed while
 preflight is in progress

The device serial number is only used by reference, however since the preflight helper
runs in a separate thread the usb device might be invalidated before the preflight operation
is complete, leading to a use-after-free when passing on the device info, followed by accessing
the device serial number. By copying the serial number this can be avoided.
---
 src/preflight.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/preflight.c')

diff --git a/src/preflight.c b/src/preflight.c
index f46786e..86a51cf 100644
--- a/src/preflight.c
+++ b/src/preflight.c
@@ -337,6 +337,7 @@ leave:
 	if (dev)
 		idevice_free(dev);
 
+	free((char*)info->serial);
 	free(info);
 
 	return NULL;
@@ -353,6 +354,9 @@ void preflight_worker_device_add(struct device_info* info)
 	struct device_info *infocopy = (struct device_info*)malloc(sizeof(struct device_info));
 
 	memcpy(infocopy, info, sizeof(struct device_info));
+	if (info->serial) {
+		infocopy->serial = strdup(info->serial);
+	}
 
 	pthread_t th;
 	pthread_attr_t attr;
@@ -362,6 +366,7 @@ void preflight_worker_device_add(struct device_info* info)
 
 	int perr = pthread_create(&th, &attr, preflight_worker_handle_device_add, infocopy);
 	if (perr != 0) {
+		free((char*)infocopy->serial);
 		free(infocopy);
 		usbmuxd_log(LL_ERROR, "ERROR: failed to start preflight worker thread for device %s: %s (%d). Invoking client_device_add() directly but things might not work as expected.", info->serial, strerror(perr), perr);
 		client_device_add(info);
-- 
cgit v1.1-32-gdbae