From 9d0a3260b2d1b57b7edfd3f72885d861883d4621 Mon Sep 17 00:00:00 2001 From: "Andrew J. Schorr" Date: Tue, 11 Jul 2006 00:06:49 +0000 Subject: [lib] Do not call vty_close in vty_log_out to avoid possible free memory access 2006-07-10 Andrew J. Schorr * vty.c: (vty_log_out) Do not call vty_close, because this could result in a parent function's accessing the freed memory. Instead, set status VTY_CLOSE and call shutdown(vty->fd, SHUT_RDWR). And add a comment on vty_close. --- lib/ChangeLog | 7 +++++++ lib/vty.c | 10 ++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/lib/ChangeLog b/lib/ChangeLog index 25df2657..02148671 100644 --- a/lib/ChangeLog +++ b/lib/ChangeLog @@ -1,3 +1,10 @@ +2006-07-10 Andrew J. Schorr + + * vty.c: (vty_log_out) Do not call vty_close, because this could + result in a parent function's accessing the freed memory. + Instead, set status VTY_CLOSE and call shutdown(vty->fd, SHUT_RDWR). + And add a comment on vty_close. + 2006-07-10 Andrew J. Schorr * vty.c: (vty_log_out, vty_read, vty_flush, vtysh_flush, vtysh_read) diff --git a/lib/vty.c b/lib/vty.c index 98e75060..4288e150 100644 --- a/lib/vty.c +++ b/lib/vty.c @@ -186,7 +186,10 @@ vty_log_out (struct vty *vty, const char *level, const char *proto_str, zlog_warn("%s: write failed to vty client fd %d, closing: %s", __func__, vty->fd, safe_strerror(errno)); buffer_reset(vty->obuf); - vty_close(vty); + /* cannot call vty_close, because a parent routine may still try + to access the vty struct */ + vty->status = VTY_CLOSE; + shutdown(vty->fd, SHUT_RDWR); return -1; } return 0; @@ -2141,7 +2144,10 @@ vty_serv_sock (const char *addr, unsigned short port, const char *path) #endif /* VTYSH */ } -/* Close vty interface. */ +/* Close vty interface. Warning: call this only from functions that + will be careful not to access the vty afterwards (since it has + now been freed). This is safest from top-level functions (called + directly by the thread dispatcher). */ void vty_close (struct vty *vty) { -- cgit v1.2.1