Changeset c6bc434

Timestamp:

2016-02-10T03:53:11Z (9 years ago)

Author:

dequis <dx@…>

Parents:

9456255

Message:

Fix a double free when calling proxy_disconnect() inside phb->func()

Fixes trac ticket #1248

proxy_connected() calls phb->func(), then tries to do phb_free() directly
afterwards, but that might have been freed by a proxy_disconnect() call
during the execution of that callback.

This one happened to two different people today, probably because some
AIM server broke.

This commit fixes it by checking the phb hash table again, ensuring that
there's something attached to the same fd, and checking that the value
of the returned pointer is the same as the one we had before.

I'm not a lawyer but I think that relying on the value of the phb
pointer, which may be freed, is undefined behavior. The memory allocator
could reuse that pointer, and the OS could reuse that fd. You could
totally write some code that disconnects then establishes a new
connection that reuses the same fd and memory locations. This fix sucks.

File:

• lib/proxy.c (modified) (2 diffs)

lib/proxy.c

@@ -92 +92 @@
         socklen_t len;
         int error = ETIMEDOUT;
+        int fd;
 
         len = sizeof(error);
@@ -122 +123 @@
         phb->inpa = 0;
 
+        fd = phb->fd;
+
         if (phb->proxy_func) {
                 phb->proxy_func(phb->proxy_data, source, B_EV_IO_READ);
         } else {
+                struct PHB *phb_check;
+
                 phb->func(phb->data, source, B_EV_IO_READ);
-                phb_free(phb, TRUE);
+
+                /* Check the hash table again before touching phb, in case it was freed */
+                if ((phb_check = g_hash_table_lookup(phb_hash, &fd)) && phb_check == phb) {
+                        phb_free(phb, TRUE);
+                }
         }