search

jvinet / knock

A port-knocking daemon
http://www.zeroflux.org/projects/knock
GNU General Public License v2.0
549 stars 113 forks source link

Fixed further use-after-free based on jvinet/knock#74. #75

Closed TDFKAOlli closed 3 years ago

TDFKAOlli commented 3 years ago

Fixed additional use-after-free problem in knockd based on pull request #74 (and some additional changes):

  1. lp->data pointer is freed in close_door() and freed again in list_free(doors) (double free)
  2. doors point is not set NULL but freed in list_free(doors). Later in parseconfig() in function list_add(doors, door) it is not reallocated if pointer is not NULL. (use-after-free).
  3. Moved logprint and vprint lines below reopeing of logfile, otherwise - with the change in #74 - the logprint output would never be logged.
dimkr commented 3 years ago

There's more of them, @TDFKAOlli, and I keep finding more with each test I do 😄

(There are memory leaks, too, but I'm more worried about the segfaults right now)

TDFKAOlli commented 3 years ago

@dimkr Yeah, looks like 😄 Just had a look too and found those two. On openwrt a kill -SIGHUP was working afterwards... doesn't mean much 😉 Good you address it with a sanitizer.

TDFKAOlli commented 3 years ago

Changes are already included in #74. Closing this pull request.