vty: Avoid use-after-free in VTY telnet interface
If the read callback closes the connection conn is already freed so we
can't derefernce it. Instead return -EBADFD in the read function if it
closed the connection and check for that.
diff --git a/src/vty/vty.c b/src/vty/vty.c
index 8bfc35c..fc86bdf 100644
--- a/src/vty/vty.c
+++ b/src/vty/vty.c
@@ -1432,9 +1432,10 @@
}
/* Check status. */
- if (vty->status == VTY_CLOSE)
+ if (vty->status == VTY_CLOSE) {
vty_close(vty);
- else {
+ return -EBADFD;
+ } else {
vty_event(VTY_WRITE, vty_sock, vty);
vty_event(VTY_READ, vty_sock, vty);
}