From 183fadc6e4e47b3eebd78b72360225cd2b84d92a Mon Sep 17 00:00:00 2001 From: Alexander Bluhm Date: Sat, 6 Jan 2024 19:34:55 +0000 Subject: Prevent use after free of TLS context at syslogd(8) shutdown. When splitting the event fields f_ev and f_bufev, disabling some events was missed. Callbacks could happen after tls_free(). Call bufferevent_disable() before f_bufev and struct filed are cleaned. In some error cases f_bufev might be NULL, add a check before cleanup. OK tb@ --- usr.sbin/syslogd/syslogd.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'usr.sbin/syslogd') diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index 00dd48fcf81..eab4e9c24f2 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syslogd.c,v 1.279 2023/10/19 22:16:10 bluhm Exp $ */ +/* $OpenBSD: syslogd.c,v 1.280 2024/01/06 19:34:54 bluhm Exp $ */ /* * Copyright (c) 2014-2021 Alexander Bluhm @@ -1427,6 +1427,7 @@ tcp_errorcb(struct bufferevent *bufev, short event, void *arg) tls_free(f->f_un.f_forw.f_ctx); f->f_un.f_forw.f_ctx = NULL; } + bufferevent_disable(bufev, EV_READ|EV_WRITE); close(f->f_file); f->f_file = -1; @@ -1521,6 +1522,7 @@ tcp_connectcb(int fd, short event, void *arg) tls_free(f->f_un.f_forw.f_ctx); f->f_un.f_forw.f_ctx = NULL; } + bufferevent_disable(bufev, EV_READ|EV_WRITE); close(f->f_file); f->f_file = -1; loghost_retry(f); @@ -2421,9 +2423,14 @@ init(void) /* FALLTHROUGH */ case F_FORWTCP: evtimer_del(&f->f_un.f_forw.f_ev); - tcpbuf_dropped += f->f_dropped + - tcpbuf_countmsg(f->f_un.f_forw.f_bufev); - bufferevent_free(f->f_un.f_forw.f_bufev); + tcpbuf_dropped += f->f_dropped; + if (f->f_un.f_forw.f_bufev) { + bufferevent_disable(f->f_un.f_forw.f_bufev, + EV_READ|EV_WRITE); + tcpbuf_dropped += + tcpbuf_countmsg(f->f_un.f_forw.f_bufev); + bufferevent_free(f->f_un.f_forw.f_bufev); + } free(f->f_un.f_forw.f_ipproto); free(f->f_un.f_forw.f_host); free(f->f_un.f_forw.f_port); -- cgit v1.2.3