Skip to content

Commit

Permalink
local_sock: fix accept use-after-free
Browse files Browse the repository at this point in the history
we should get next waiter before acceptor released

Signed-off-by: fangzhenwei <[email protected]>
  • Loading branch information
Frozen935 authored and xiaoxiang781216 committed Oct 9, 2024
1 parent 5c3025e commit a6f8730
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 3 deletions.
3 changes: 3 additions & 0 deletions include/nuttx/queue.h
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,9 @@
for((p) = (q)->head, (tmp) = (p) ? (p)->flink : NULL; \
(p) != NULL; (p) = (tmp), (tmp) = (p) ? (p)->flink : NULL)

#define dq_for_every(q, p) sq_for_every(q, p)
#define dq_for_every_safe(q, p, tmp) sq_for_every_safe(q, p, tmp)

#define sq_rem(p, q) \
do \
{ \
Expand Down
5 changes: 2 additions & 3 deletions net/local/local_release.c
Original file line number Diff line number Diff line change
Expand Up @@ -73,14 +73,13 @@ int local_release(FAR struct local_conn_s *conn)
{
FAR struct local_conn_s *accept;
FAR dq_entry_t *waiter;
FAR dq_entry_t *tmp;

DEBUGASSERT(conn->lc_proto == SOCK_STREAM);

/* Are there still clients waiting for a connection to the server? */

for (waiter = dq_peek(&conn->u.server.lc_waiters);
waiter != NULL;
waiter = dq_next(&accept->u.accept.lc_waiter))
dq_for_every_safe(&conn->u.server.lc_waiters, waiter, tmp)
{
accept = container_of(waiter, struct local_conn_s,
u.accept.lc_waiter);
Expand Down

0 comments on commit a6f8730

Please sign in to comment.