While investigating an issue with an older version of netifd I came upon what appears to be a use-after free bug in the latest version of netifd (commit id: 448ffc15) in interfaces.c::interface_proto_event_cb() when handling the IFPEV_DOWN event.
Within this case there is a call to interface_handle_config_change(iface)
if (iface->state == IFS_DOWN)
netifd_log_message(L_NOTICE, "Interface '%s' is now down\n", iface->name);
, which will free 'iface' if iface->config_state == IFC_REMOVE.
'iface' will be invalid if this happens.
However, after this call is made the code will drop to the bottom of interface_proto_event_cb() and call
with the potentially invalid 'iface' pointer.
I haven't investigated to see if it's actually possible for iface to be in the correct state to be freed when handling this event, but it certainly looks like it has the potential to be a bug. I thought it might be wise to alert somebody to this issue. If it's 'impossible' for iface to be freed at this point, perhaps it'd be worth at least adding a comment to that effect.
The text was updated successfully, but these errors were encountered: