You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While investigating an issue with an older version of netifd I came upon what appears to be a use-after free bug in the latest version of netifd (commit id: 448ffc15) in interfaces.c::interface_proto_event_cb() when handling the IFPEV_DOWN event.
Within this case there is a call to interface_handle_config_change(iface)
case IFPEV_DOWN:
if (iface->state == IFS_DOWN)
return;
netifd_log_message(L_NOTICE, "Interface '%s' is now down\n", iface->name);
mark_interface_down(iface);
if (iface->main_dev.dev)
device_release(&iface->main_dev);
if (iface->l3_dev.dev)
device_remove_user(&iface->l3_dev);
interface_handle_config_change(iface);
break;
, which will free 'iface' if iface->config_state == IFC_REMOVE.
case IFC_REMOVE:
interface_do_free(iface);
return;
'iface' will be invalid if this happens.
However, after this call is made the code will drop to the bottom of interface_proto_event_cb() and call
interface_write_resolv_conf(iface->jail);
with the potentially invalid 'iface' pointer.
I haven't investigated to see if it's actually possible for iface to be in the correct state to be freed when handling this event, but it certainly looks like it has the potential to be a bug. I thought it might be wise to alert somebody to this issue. If it's 'impossible' for iface to be freed at this point, perhaps it'd be worth at least adding a comment to that effect.
Regards
The text was updated successfully, but these errors were encountered:
ChrisNisbet01:
While investigating an issue with an older version of netifd I came upon what appears to be a use-after free bug in the latest version of netifd (commit id: 448ffc15) in interfaces.c::interface_proto_event_cb() when handling the IFPEV_DOWN event.
Within this case there is a call to interface_handle_config_change(iface)
case IFPEV_DOWN:
if (iface->state == IFS_DOWN)
return;
, which will free 'iface' if iface->config_state == IFC_REMOVE.
case IFC_REMOVE: interface_do_free(iface); return;
'iface' will be invalid if this happens.
However, after this call is made the code will drop to the bottom of interface_proto_event_cb() and call
interface_write_resolv_conf(iface->jail);
with the potentially invalid 'iface' pointer.
I haven't investigated to see if it's actually possible for iface to be in the correct state to be freed when handling this event, but it certainly looks like it has the potential to be a bug. I thought it might be wise to alert somebody to this issue. If it's 'impossible' for iface to be freed at this point, perhaps it'd be worth at least adding a comment to that effect.
Regards
The text was updated successfully, but these errors were encountered: