Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use-after-free issue in rfbShutdownServer #211

Closed
ateska opened this issue Dec 27, 2017 · 4 comments
Closed

Use-after-free issue in rfbShutdownServer #211

ateska opened this issue Dec 27, 2017 · 4 comments
Assignees
@bk138
Labels
bug
Milestone
Release 0.9.12

Comments

@ateska
Copy link

ateska commented Dec 27, 2017

libvncserver/libvncserver/main.c

Line 1090 in 6814e94

rfbClientConnectionGone(cl);

See rfbClientIteratorNext (rfbClientIteratorNext:224) - i->next = i->next->next; a memory that has been freed at the end of rfbClientConnectionGone() is accessed thru iterator.
@ateska ateska changed the title A Use-after-free issue here A Use-after-free issue in rfbShutdownServer Dec 27, 2017
@ateska
Copy link
Author

ateska commented Dec 27, 2017

xx

The issue appears when server is shutdown with one or more client still connected.

ateska added a commit to TeskaLabs/libvncserver that referenced this issue Dec 27, 2017
@ateska
Fix of free-after-use error.
5a2edda 
Fixes LibVNC#211
@ateska ateska mentioned this issue Dec 27, 2017
Closed
@bk138 bk138 self-assigned this Dec 30, 2017
@bk138 bk138 added the bug label Dec 30, 2017
@bk138 bk138 added this to the Release 0.9.12 milestone Dec 30, 2017
@ateska ateska changed the title A Use-after-free issue in rfbShutdownServer Use-after-free issue in rfbShutdownServer Dec 30, 2017
@bk138
Copy link
Member

bk138 commented May 14, 2018
edited
Loading

@ateska I guess this happens when the server shuts down and a client disconnects the very same point in time? Or do you experience something different?

Are you running a threaded server or not?

@Quentin01 Quentin01 mentioned this issue Aug 9, 2018
Merged
@ateska
Copy link
Author

ateska commented Aug 9, 2018

The server is running in a dedicated thread. However, the mistake is obvious, it is likely caused by more strict heap management policy on iOS. The code obviously accesses the memory that has been free()d just few steps back.

@bk138
Copy link
Member

bk138 commented Jan 6, 2019

Closed by #238 in conjuction with 14c24e2 and d3a4292

@bk138 bk138 closed this as completed Jan 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bk138 bk138

Labels
bug
Projects
None yet
Milestone
Release 0.9.12
Development

No branches or pull requests
2 participants
@bk138 @ateska