diff options
author | Nikias Bassen | 2019-10-07 21:19:48 +0200 |
---|---|---|
committer | Nikias Bassen | 2019-10-07 21:19:48 +0200 |
commit | 7a1110f5c13e7249062da952e1ac4de1b56d4a4e (patch) | |
tree | 7913b0d145b33268d084b3301d01035eab032b1a | |
parent | 135ab5253879c197edae416b523e01aad4e13d98 (diff) | |
download | usbmuxd-7a1110f5c13e7249062da952e1ac4de1b56d4a4e.tar.gz usbmuxd-7a1110f5c13e7249062da952e1ac4de1b56d4a4e.tar.bz2 |
preflight: Prevent possible UaF if usb device is removed while preflight is in progress
The device serial number is only used by reference, however since the preflight helper
runs in a separate thread the usb device might be invalidated before the preflight operation
is complete, leading to a use-after-free when passing on the device info, followed by accessing
the device serial number. By copying the serial number this can be avoided.
-rw-r--r-- | src/preflight.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/preflight.c b/src/preflight.c index f46786e..86a51cf 100644 --- a/src/preflight.c +++ b/src/preflight.c @@ -337,6 +337,7 @@ leave: if (dev) idevice_free(dev); + free((char*)info->serial); free(info); return NULL; @@ -353,6 +354,9 @@ void preflight_worker_device_add(struct device_info* info) struct device_info *infocopy = (struct device_info*)malloc(sizeof(struct device_info)); memcpy(infocopy, info, sizeof(struct device_info)); + if (info->serial) { + infocopy->serial = strdup(info->serial); + } pthread_t th; pthread_attr_t attr; @@ -362,6 +366,7 @@ void preflight_worker_device_add(struct device_info* info) int perr = pthread_create(&th, &attr, preflight_worker_handle_device_add, infocopy); if (perr != 0) { + free((char*)infocopy->serial); free(infocopy); usbmuxd_log(LL_ERROR, "ERROR: failed to start preflight worker thread for device %s: %s (%d). Invoking client_device_add() directly but things might not work as expected.", info->serial, strerror(perr), perr); client_device_add(info); |