summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorVito Caputo <vcaputo@pengaru.com>2023-07-03 07:49:40 -0700
committerVito Caputo <vcaputo@pengaru.com>2023-07-04 21:09:16 -0700
commit6e9ae3e84486bdc90d6bc0a965ac2a977d438505 (patch)
tree84ee2bdf4ae2f62e776864caac0b445cba021d99 /src
parentff02ed8ea5e32a1016c710f4625145e3abcc062b (diff)
til_module_context: untap early in module_context_free()
This was a UAF bug when the context being freed contained a driving tap... just careless placement of the untap call. It needs to occur before destroying the context, because module contexts are often used to store the til_tap_t instances.
Diffstat (limited to 'src')
-rw-r--r--src/til_module_context.c18
1 files changed, 11 insertions, 7 deletions
diff --git a/src/til_module_context.c b/src/til_module_context.c
index 8b13410..b11aad2 100644
--- a/src/til_module_context.c
+++ b/src/til_module_context.c
@@ -72,6 +72,17 @@ static inline void * module_context_free(til_module_context_t *module_context)
stream = module_context->stream;
setup = module_context->setup;
+ /* cleanup any pipes this context might have had in the stream. If the
+ * module's destroy_context() also does this it's harmlessly idempotent
+ * besides wasting some cycles. But by always doing it here, we're sure
+ * to not leave dangling references.
+ *
+ * XXX: note untapping _must_ happen before destroying the context, since
+ * the context may contain the driving tap and untap accesses it for
+ * checking ownership.
+ */
+ til_stream_untap_owner(stream, module_context);
+
if (module_context->module->destroy_context)
module_context->module->destroy_context(module_context);
else
@@ -79,13 +90,6 @@ static inline void * module_context_free(til_module_context_t *module_context)
(void) til_setup_free(setup); /* free last just in case the module destructor makes use of it */
- /* cleanup any pipes this context might have had in the stream, if the
- * module's destroy_context() also does this it's harmlessly idempotent
- * besides wasting some cycles. But by always doing it here, we're sure
- * to not leave dangling references.
- */
- til_stream_untap_owner(stream, module_context);
-
return NULL;
}
© All Rights Reserved