[RP-PPPoE] Use-after-free in kernel mode plugin?
Dianne Skoll
dfs at roaringpenguin.com
Tue Jan 31 10:40:16 EST 2017
On Tue, 31 Jan 2017 16:19:43 +0100
Bartos-Elekes Zsolt <muszi at kite.hu> wrote:
> Freeing connection info in plugin.c:PPPOEDisconnectDevice() results
> in use-after-free. conn is malloc()-ed in PPPOEInitDevice(), which
> is called only once by pppd on initialization (PHASE_INITIALIZE). If
> the connection is closed by the peer, and pppd's "persist" option is
> in effect, pppd tries to reconnect, but might not succeed because
> conn is already free()d.
Thanks for that. I think we can fix it simply by not freeing conn. We
want to keep it around if persist is on, and if persist is not on, we don't
care because the pppd process will soon exit.
Please check if this patch fixes if for you.
Regards,
Dianne.
diff --git a/src/plugin.c b/src/plugin.c
index 75d9b81..67156f7 100644
--- a/src/plugin.c
+++ b/src/plugin.c
@@ -322,10 +322,8 @@ PPPOEDisconnectDevice(void)
}
close(conn->sessionSocket);
close(conn->discoverySocket);
- if (conn->ifName) {
- free(conn->ifName);
- }
- free(conn);
+
+ /* Do NOT free conn; if pppd persist is on, we'll need it again */
}
static void
More information about the RP-PPPoE
mailing list