Fork us on GitHub Follow us on Facebook Follow us on Twitter

Opened 8 years ago

Closed 8 years ago

#380 closed defect (fixed)

Session use after free in async_hangup().

Reported by: Jakub Jermář Owned by: Jakub Jermář
Priority: major Milestone: 0.5.0
Component: helenos/lib/c Version: mainline
Keywords: Cc:
Blocker for: Depends on:
See also:

Description

Jano noticed:

uspace/lib/c/generic/async.c:1851 frees session that is later accessed in a loop

Change History (2)

comment:1 Changed 8 years ago by Jakub Jermář

The code in question:

        int rc = async_hangup_internal(sess->phone);
        if (rc == EOK)
                free(sess);

        while (!list_empty(&sess->exch_list)) {
                exch = (async_exch_t *)
                    list_get_instance(list_first(&sess->exch_list),
                    async_exch_t, sess_link);

comment:2 Changed 8 years ago by Jakub Jermář

Resolution: fixed
Status: newclosed

Fixed in mainline,1260.

Note: See TracTickets for help on using tickets.