diff options
author | Vito Caputo <vcaputo@pengaru.com> | 2023-07-03 07:49:40 -0700 |
---|---|---|
committer | Vito Caputo <vcaputo@pengaru.com> | 2023-07-04 21:09:16 -0700 |
commit | 6e9ae3e84486bdc90d6bc0a965ac2a977d438505 (patch) | |
tree | 84ee2bdf4ae2f62e776864caac0b445cba021d99 /src | |
parent | ff02ed8ea5e32a1016c710f4625145e3abcc062b (diff) |
til_module_context: untap early in module_context_free()
This was a UAF bug when the context being freed contained a
driving tap... just careless placement of the untap call.
It needs to occur before destroying the context, because module
contexts are often used to store the til_tap_t instances.
Diffstat (limited to 'src')
-rw-r--r-- | src/til_module_context.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/src/til_module_context.c b/src/til_module_context.c index 8b13410..b11aad2 100644 --- a/src/til_module_context.c +++ b/src/til_module_context.c @@ -72,6 +72,17 @@ static inline void * module_context_free(til_module_context_t *module_context) stream = module_context->stream; setup = module_context->setup; + /* cleanup any pipes this context might have had in the stream. If the + * module's destroy_context() also does this it's harmlessly idempotent + * besides wasting some cycles. But by always doing it here, we're sure + * to not leave dangling references. + * + * XXX: note untapping _must_ happen before destroying the context, since + * the context may contain the driving tap and untap accesses it for + * checking ownership. + */ + til_stream_untap_owner(stream, module_context); + if (module_context->module->destroy_context) module_context->module->destroy_context(module_context); else @@ -79,13 +90,6 @@ static inline void * module_context_free(til_module_context_t *module_context) (void) til_setup_free(setup); /* free last just in case the module destructor makes use of it */ - /* cleanup any pipes this context might have had in the stream, if the - * module's destroy_context() also does this it's harmlessly idempotent - * besides wasting some cycles. But by always doing it here, we're sure - * to not leave dangling references. - */ - til_stream_untap_owner(stream, module_context); - return NULL; } |