From 315aa3135aabab6dbaac76e64b5196ced7bcb0f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Thu, 8 Feb 2024 12:31:09 +0100 Subject: [PATCH] Fix UAF in ccmsg.c when reading stopped before sending When shutting down the whole server, the reading could stop and detach from controlconnection before sending is done. If send callback then detaches from the last controlconnection handle, the ccmsg would be invalidated after the send callback and thus we must not access ccmsg after calling the send_cb(). --- lib/isccc/ccmsg.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/isccc/ccmsg.c b/lib/isccc/ccmsg.c index 4c033dd975..4c5ff61e5f 100644 --- a/lib/isccc/ccmsg.c +++ b/lib/isccc/ccmsg.c @@ -150,11 +150,13 @@ ccmsg_senddone(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) { isccc_ccmsg_t *ccmsg = arg; REQUIRE(VALID_CCMSG(ccmsg)); + REQUIRE(ccmsg->send_cb != NULL); - INSIST(ccmsg->send_cb != NULL); - ccmsg->send_cb(handle, eresult, ccmsg->send_cbarg); + isc_nm_cb_t send_cb = ccmsg->send_cb; ccmsg->send_cb = NULL; + send_cb(handle, eresult, ccmsg->send_cbarg); + isc_nmhandle_detach(&handle); }