search

InterLinked1 / lbbs

Lightweight BBS For Linux - Bulletin Board System server software
GNU General Public License v2.0
35 stars 4 forks source link

net_ssh: Use after free on node cleanup #25

Closed InterLinked1 closed 5 months ago

InterLinked1 commented 5 months ago

Use after free on node cleanup for SSH sessions. Stack traces from valgrind:


DEBUG[86175]: thread.c:136 __thread_unregister: Thread 86176 has been joined by thread 86175 at net_ssh.c:871 handle_session()
==86147== Thread 16:
==86147== Invalid read of size 8
==86147==    at 0xD3131D1: handle_session (net_ssh.c:879)
==86147==    by 0xD3136FB: ssh_connection (net_ssh.c:1499)
==86147==    by 0x147A16: thread_run (thread.c:375)
==86147==    by 0x50F8043: start_thread (pthread_create.c:442)
==86147==    by 0x517787F: clone (clone.S:100)
==86147==  Address 0xc95a378 is 152 bytes inside a block of size 352 free'd
==86147==    at 0x484317B: free (vg_replace_malloc.c:872)
==86147==    by 0x1348F0: bbs_node_unlink (node.c:602)
==86147==    by 0x136176: bbs_node_handler (node.c:1432)
==86147==    by 0x147A16: thread_run (thread.c:375)
==86147==    by 0x50F8043: start_thread (pthread_create.c:442)
==86147==    by 0x517787F: clone (clone.S:100)
==86147==  Block was alloc'd at
==86147==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
==86147==    by 0x117963: __bbs_calloc (alloc.c:83)
==86147==    by 0x13372C: __bbs_node_request (node.c:226)
==86147==    by 0xD3139CF: pty_request (net_ssh.c:476)
==86147==    by 0xD34E822: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86147==    by 0xD34FAEF: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86147==    by 0xD33DE06: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86147==    by 0xD3556AF: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86147==    by 0xD355E96: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86147==    by 0xD3607DF: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86147==    by 0xD35C8D9: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86147==    by 0xD31305C: handle_session (net_ssh.c:776)
==86147==

 1 errors in context 1 of 4:
==86366== Thread 16:
==86366== Invalid read of size 8
==86366==    at 0xD3131D1: handle_session (net_ssh.c:879)
==86366==    by 0xD3136FB: ssh_connection (net_ssh.c:1499)
==86366==    by 0x147A16: thread_run (thread.c:375)
==86366==    by 0x50F8043: start_thread (pthread_create.c:442)
==86366==    by 0x517787F: clone (clone.S:100)
==86366==  Address 0xc946588 is 152 bytes inside a block of size 352 free'd
==86366==    at 0x484317B: free (vg_replace_malloc.c:872)
==86366==    by 0x136176: bbs_node_handler (node.c:1432)
==86366==    by 0x147A16: thread_run (thread.c:375)
==86366==    by 0x50F8043: start_thread (pthread_create.c:442)
==86366==    by 0x517787F: clone (clone.S:100)
==86366==  Block was alloc'd at
==86366==    at 0x48455EF: calloc (vg_replace_malloc.c:1328)
==86366==    by 0x117963: __bbs_calloc (alloc.c:83)
==86366==    by 0x13372C: __bbs_node_request (node.c:226)
==86366==    by 0xD3139CF: pty_request (net_ssh.c:476)
==86366==    by 0xD34E822: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86366==    by 0xD34FAEF: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86366==    by 0xD33DE06: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86366==    by 0xD3556AF: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86366==    by 0xD355E96: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86366==    by 0xD3607DF: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86366==    by 0xD35C8D9: ??? (in /usr/lib/x86_64-linux-gnu/libssh.so.4.9.5)
==86366==    by 0xD31305C: handle_session (net_ssh.c:776)