OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Chris Nisbet - 08.10.2021

FS#4070 - netifd: potential use-after-free bug?

While investigating an issue with an older version of netifd I came upon what appears to be a use-after free bug in the latest version of netifd (commit id: 448ffc15) in interfaces.c::interface_proto_event_cb() when handling the IFPEV_DOWN event.

Within this case there is a call to interface_handle_config_change(iface)

	case IFPEV_DOWN:
		if (iface->state == IFS_DOWN)
			return;

		netifd_log_message(L_NOTICE, "Interface '%s' is now down\n", iface->name);
		mark_interface_down(iface);
		if (iface->main_dev.dev)
			device_release(&iface->main_dev);
		if (iface->l3_dev.dev)
			device_remove_user(&iface->l3_dev);
		interface_handle_config_change(iface);
		break;

, which will free ‘iface’ if iface→config_state == IFC_REMOVE.

	case IFC_REMOVE:
		interface_do_free(iface);
		return;

‘iface’ will be invalid if this happens.

However, after this call is made the code will drop to the bottom of interface_proto_event_cb() and call

	interface_write_resolv_conf(iface->jail);

with the potentially invalid ‘iface’ pointer.

I haven’t investigated to see if it’s actually possible for iface to be in the correct state to be freed when handling this event, but it certainly looks like it has the potential to be a bug. I thought it might be wise to alert somebody to this issue. If it’s ‘impossible’ for iface to be freed at this point, perhaps it’d be worth at least adding a comment to that effect.
Regards

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing