Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#4070 - netifd: potential use-after-free bug? #9053

Open
openwrt-bot opened this issue Oct 8, 2021 · 0 comments
Open

FS#4070 - netifd: potential use-after-free bug? #9053

openwrt-bot opened this issue Oct 8, 2021 · 0 comments
Labels

Comments

@openwrt-bot
Copy link

openwrt-bot commented Oct 8, 2021

ChrisNisbet01:

While investigating an issue with an older version of netifd I came upon what appears to be a use-after free bug in the latest version of netifd (commit id: 448ffc15) in interfaces.c::interface_proto_event_cb() when handling the IFPEV_DOWN event.

Within this case there is a call to interface_handle_config_change(iface)

case IFPEV_DOWN:
if (iface->state == IFS_DOWN)
return;

	netifd_log_message(L_NOTICE, "Interface '%s' is now down\n", iface->name);
	mark_interface_down(iface);
	if (iface->main_dev.dev)
		device_release(&iface->main_dev);
	if (iface->l3_dev.dev)
		device_remove_user(&iface->l3_dev);
	interface_handle_config_change(iface);
	break;

, which will free 'iface' if iface->config_state == IFC_REMOVE.

case IFC_REMOVE: interface_do_free(iface); return;

'iface' will be invalid if this happens.

However, after this call is made the code will drop to the bottom of interface_proto_event_cb() and call

interface_write_resolv_conf(iface->jail);

with the potentially invalid 'iface' pointer.

I haven't investigated to see if it's actually possible for iface to be in the correct state to be freed when handling this event, but it certainly looks like it has the potential to be a bug. I thought it might be wise to alert somebody to this issue. If it's 'impossible' for iface to be freed at this point, perhaps it'd be worth at least adding a comment to that effect.
Regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant