vty: Avoid use-after-free in VTY telnet interface If the read callback closes the connection conn is already freed so we can't derefernce it. Instead return -EBADFD in the read function if it closed the connection and check for that.

commit: 77ab2f723ee221e0a12f9664383c578e62b7cd13 [log] [tgz]
author: Daniel Willmann <dwillmann@sysmocom.de> Wed May 21 15:08:19 2014 +0200
committer: Holger Hans Peter Freyther <holger@moiji-mobile.com> Sun Jun 22 16:57:22 2014 +0200
tree: 9f139d71e8294e60e05b3f962acfed75c8089f8a
parent: 17aa6b25cb0b720279f5d8221de17b01398d0143 [diff] [blame]
diff --git a/src/vty/vty.c b/src/vty/vty.c
index 8bfc35c..fc86bdf 100644
--- a/src/vty/vty.c
+++ b/src/vty/vty.c

@@ -1432,9 +1432,10 @@
 	}
 
 	/* Check status. */
-	if (vty->status == VTY_CLOSE)
+	if (vty->status == VTY_CLOSE) {
 		vty_close(vty);
-	else {
+		return -EBADFD;
+	} else {
 		vty_event(VTY_WRITE, vty_sock, vty);
 		vty_event(VTY_READ, vty_sock, vty);
 	}
commit	77ab2f723ee221e0a12f9664383c578e62b7cd13	[log] [tgz]
author	Daniel Willmann <dwillmann@sysmocom.de>	Wed May 21 15:08:19 2014 +0200
committer	Holger Hans Peter Freyther <holger@moiji-mobile.com>	Sun Jun 22 16:57:22 2014 +0200
tree	9f139d71e8294e60e05b3f962acfed75c8089f8a
parent	17aa6b25cb0b720279f5d8221de17b01398d0143 [diff] [blame]