Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use-after-free issue in rfbShutdownServer #211

Closed
ateska opened this issue Dec 27, 2017 · 4 comments
Closed

Use-after-free issue in rfbShutdownServer #211

ateska opened this issue Dec 27, 2017 · 4 comments
Assignees
Labels
bug

Comments

@ateska
Copy link

@ateska ateska commented Dec 27, 2017

rfbClientConnectionGone(cl);

See rfbClientIteratorNext (rfbClientIteratorNext:224) - i->next = i->next->next; a memory that has been freed at the end of rfbClientConnectionGone() is accessed thru iterator.

@ateska ateska changed the title A Use-after-free issue here A Use-after-free issue in rfbShutdownServer Dec 27, 2017
@ateska

This comment has been minimized.

Copy link
Author

@ateska ateska commented Dec 27, 2017

xx

The issue appears when server is shutdown with one or more client still connected.

ateska added a commit to TeskaLabs/libvncserver that referenced this issue Dec 27, 2017
@bk138 bk138 self-assigned this Dec 30, 2017
@bk138 bk138 added the bug label Dec 30, 2017
@bk138 bk138 added this to the Release 0.9.12 milestone Dec 30, 2017
@ateska ateska changed the title A Use-after-free issue in rfbShutdownServer Use-after-free issue in rfbShutdownServer Dec 30, 2017
@bk138

This comment has been minimized.

Copy link
Member

@bk138 bk138 commented May 14, 2018

@ateska I guess this happens when the server shuts down and a client disconnects the very same point in time? Or do you experience something different?

Are you running a threaded server or not?

@ateska

This comment has been minimized.

Copy link
Author

@ateska ateska commented Aug 9, 2018

The server is running in a dedicated thread. However, the mistake is obvious, it is likely caused by more strict heap management policy on iOS. The code obviously accesses the memory that has been free()d just few steps back.

@bk138 bk138 removed the response-needed label Jan 6, 2019
@bk138

This comment has been minimized.

Copy link
Member

@bk138 bk138 commented Jan 6, 2019

Closed by #238 in conjuction with 14c24e2 and d3a4292

@bk138 bk138 closed this Jan 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.