summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Grajciar <jgrajcia@cisco.com>2019-09-09 10:39:08 +0200
committerJakub Grajciar <jgrajcia@cisco.com>2019-09-09 13:02:13 +0200
commitbdf3ebe358787ef240dc9fadc515dfd178dfef7b (patch)
tree806e89d5f950946321623e69f6f202147b336a4c
parente5948fb49a6eeaf437323cc1043a350cd33bcd47 (diff)
libmemif: prevent crash in case of invalid connection handle
Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I803c86a48e0148ef143026a5cd93e4510c4f0611 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
-rw-r--r--extras/libmemif/src/main.c40
1 files changed, 31 insertions, 9 deletions
diff --git a/extras/libmemif/src/main.c b/extras/libmemif/src/main.c
index def51a729f7..870120df997 100644
--- a/extras/libmemif/src/main.c
+++ b/extras/libmemif/src/main.c
@@ -1231,7 +1231,7 @@ int
memif_request_connection (memif_conn_handle_t c)
{
memif_connection_t *conn = (memif_connection_t *) c;
- libmemif_main_t *lm = get_libmemif_main (conn->args.socket);
+ libmemif_main_t *lm;
memif_socket_t *ms;
int err = MEMIF_ERR_SUCCESS;
int sockfd = -1;
@@ -1241,6 +1241,8 @@ memif_request_connection (memif_conn_handle_t c)
return MEMIF_ERR_NOCONN;
ms = (memif_socket_t *) conn->args.socket;
+ lm = get_libmemif_main (ms);
+
if (conn->args.is_master || ms->type == MEMIF_SOCKET_TYPE_LISTENER)
return MEMIF_ERR_INVAL_ARG;
@@ -1664,7 +1666,7 @@ memif_disconnect_internal (memif_connection_t * c)
uint16_t num;
int err = MEMIF_ERR_SUCCESS, i; /* 0 */
memif_queue_t *mq;
- libmemif_main_t *lm = get_libmemif_main (c->args.socket);
+ libmemif_main_t *lm;
memif_list_elt_t *e;
if (c == NULL)
@@ -1673,6 +1675,8 @@ memif_disconnect_internal (memif_connection_t * c)
return MEMIF_ERR_NOCONN;
}
+ lm = get_libmemif_main (c->args.socket);
+
c->on_disconnect ((void *) c, c->private_ctx);
if (c->fd > 0)
@@ -1794,12 +1798,14 @@ int
memif_delete_socket (memif_socket_handle_t * sock)
{
memif_socket_t *ms = (memif_socket_t *) * sock;
- libmemif_main_t *lm = get_libmemif_main (ms);
+ libmemif_main_t *lm;
/* check if socket is in use */
- if (ms == NULL || ms->type != MEMIF_SOCKET_TYPE_NONE)
+ if (ms == NULL || ms->use_count > 0)
return MEMIF_ERR_INVAL_ARG;
+ lm = get_libmemif_main (ms);
+
lm->free (ms->interface_list);
ms->interface_list = NULL;
lm->free (ms->filename);
@@ -1814,7 +1820,7 @@ int
memif_delete (memif_conn_handle_t * conn)
{
memif_connection_t *c = (memif_connection_t *) * conn;
- libmemif_main_t *lm = get_libmemif_main (c->args.socket);
+ libmemif_main_t *lm;
memif_socket_t *ms = NULL;
int err = MEMIF_ERR_SUCCESS;
@@ -1832,6 +1838,8 @@ memif_delete (memif_conn_handle_t * conn)
return err;
}
+ lm = get_libmemif_main (c->args.socket);
+
free_list_elt_ctx (lm->control_list, lm->control_list_len, c);
ms = (memif_socket_t *) c->args.socket;
@@ -1875,11 +1883,16 @@ memif_delete (memif_conn_handle_t * conn)
int
memif_connect1 (memif_connection_t * c)
{
- libmemif_main_t *lm = get_libmemif_main (c->args.socket);
+ libmemif_main_t *lm;
memif_region_t *mr;
memif_queue_t *mq;
int i;
+ if (c == NULL)
+ return MEMIF_ERR_INVAL_ARG;
+
+ lm = get_libmemif_main (c->args.socket);
+
for (i = 0; i < c->regions_num; i++)
{
mr = &c->regions[i];
@@ -2102,7 +2115,12 @@ int
memif_init_regions_and_queues (memif_connection_t * conn)
{
memif_region_t *r;
- libmemif_main_t *lm = get_libmemif_main (conn->args.socket);
+ libmemif_main_t *lm;
+
+ if (conn == NULL)
+ return MEMIF_ERR_INVAL_ARG;
+
+ lm = get_libmemif_main (conn->args.socket);
/* region 0. rings */
memif_add_region (lm, conn, /* has_buffers */ 0);
@@ -2554,7 +2572,7 @@ memif_get_details (memif_conn_handle_t conn, memif_details_t * md,
char *buf, ssize_t buflen)
{
memif_connection_t *c = (memif_connection_t *) conn;
- libmemif_main_t *lm = get_libmemif_main (c->args.socket);
+ libmemif_main_t *lm;
memif_socket_t *ms;
int err = MEMIF_ERR_SUCCESS, i;
ssize_t l0 = 0, l1;
@@ -2563,6 +2581,7 @@ memif_get_details (memif_conn_handle_t conn, memif_details_t * md,
return MEMIF_ERR_NOCONN;
ms = (memif_socket_t *) c->args.socket;
+ lm = get_libmemif_main (ms);
l1 = strlen ((char *) c->args.interface_name);
if (l0 + l1 < buflen)
@@ -2736,8 +2755,11 @@ int
memif_cleanup ()
{
libmemif_main_t *lm = &libmemif_main;
+ int err;
- memif_delete_socket ((memif_socket_handle_t *) & lm->default_socket);
+ err = memif_delete_socket ((memif_socket_handle_t *) & lm->default_socket);
+ if (err != MEMIF_ERR_SUCCESS)
+ return err;
if (lm->control_list)
lm->free (lm->control_list);