From 9c5d17309be237f799105e252a26e2c32c2d9c50 Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Sat, 21 Jan 2023 11:04:39 -0800 Subject: til_stream: teardown pipes when the driving_tap's owner matches The driving tap's owner and pipe's owner are decoupled. When tearing down an owner from a stream, any pipes its taps are driving should also just go away. Otherwise its taps could linger on pipes it doesn't own, which would be a UAF bug. If the pipe is still needed, it'll just get recreated by another tap. So there's a small perf hit, but this shouldn't be a continuos kind of occurrence. --- src/til_stream.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/til_stream.c b/src/til_stream.c index c5e8326..fc3fc3c 100644 --- a/src/til_stream.c +++ b/src/til_stream.c @@ -203,14 +203,14 @@ int til_stream_tap(til_stream_t *stream, const void *owner, const void *owner_fo } -/* remove all pipes belonging to owner in stream */ +/* remove all pipes belonging to owner in stream, including pipes whose driving_tap is owned by owner */ void til_stream_untap_owner(til_stream_t *stream, const void *owner) { for (int i = 0; i < TIL_STREAM_BUCKETS_COUNT; i++) { for (til_stream_pipe_t *p = stream->buckets[i], *p_next, *p_prev; p != NULL; p = p_next) { p_next = p->next; - if (p->owner == owner) { + if (p->owner == owner || p->driving_tap->owner == owner) { if (p == stream->buckets[i]) stream->buckets[i] = p_next; else -- cgit v1.2.3