summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartijn van Duren <martijn@cvs.openbsd.org>2023-10-27 10:32:12 +0000
committerMartijn van Duren <martijn@cvs.openbsd.org>2023-10-27 10:32:12 +0000
commitf6b639348d8cf746dd5906be6f6b44fa55ea36dd (patch)
treea7199c18fe594cc6e8e074ff937be47075cca752
parentb7ce15468f723c5d8ef6dfb5deb5e7fa6685556a (diff)
If an invalid varbindlist was returned by a backend we would call
appl_request_upstream_resolve() twice where the first call would already return a reply and free the upstream request, leading to a use after free. Make appl_request_downstream_free() call appl_request_upstream_resolve() unconditionally and remove the call from appl_response(). OK tb@
-rw-r--r--usr.sbin/snmpd/application.c14
1 files changed, 4 insertions, 10 deletions
diff --git a/usr.sbin/snmpd/application.c b/usr.sbin/snmpd/application.c
index 52aa34d72b7..33143d62816 100644
--- a/usr.sbin/snmpd/application.c
+++ b/usr.sbin/snmpd/application.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: application.c,v 1.24 2023/10/24 14:21:58 martijn Exp $ */
+/* $OpenBSD: application.c,v 1.25 2023/10/27 10:32:11 martijn Exp $ */
/*
* Copyright (c) 2021 Martijn van Duren <martijn@openbsd.org>
@@ -710,6 +710,7 @@ appl_request_upstream_free(struct appl_request_upstream *ureq)
if (ureq == NULL)
return;
+ ureq->aru_locked = 1;
for (i = 0; i < ureq->aru_varbindlen && ureq->aru_vblist != NULL; i++) {
vb = &(ureq->aru_vblist[i]);
ober_free_elements(vb->avi_varbind.av_value);
@@ -726,7 +727,6 @@ void
appl_request_downstream_free(struct appl_request_downstream *dreq)
{
struct appl_varbind_internal *vb;
- int retry = 0;
if (dreq == NULL)
return;
@@ -736,14 +736,11 @@ appl_request_downstream_free(struct appl_request_downstream *dreq)
for (vb = dreq->ard_vblist; vb != NULL; vb = vb->avi_next) {
vb->avi_request_downstream = NULL;
- if (vb->avi_state == APPL_VBSTATE_PENDING) {
+ if (vb->avi_state == APPL_VBSTATE_PENDING)
vb->avi_state = APPL_VBSTATE_NEW;
- retry = 1;
- }
}
- if (retry)
- appl_request_upstream_resolve(dreq->ard_request);
+ appl_request_upstream_resolve(dreq->ard_request);
free(dreq);
}
@@ -1172,9 +1169,6 @@ appl_response(struct appl_backend *backend, int32_t requestid,
backend->ab_name);
backend->ab_fn->ab_close(backend, APPL_CLOSE_REASONPARSEERROR);
}
-
- if (ureq != NULL)
- appl_request_upstream_resolve(ureq);
}
int