search

mtcp-stack / mtcp

mTCP: A Highly Scalable User-level TCP Stack for Multicore Systems
Other
1.98k stars 436 forks source link

"use after free" bug #156

Closed simpx closed 6 years ago

simpx commented 6 years ago

https://github.com/eunyoung14/mtcp/blob/master/mtcp/src/tcp_in.c#L761

if (cur_stream->socket) {
    RaiseWriteEvent(mtcp, cur_stream);
} else {
    TRACE_STATE("Stream %d: ESTABLISHED, but no socket\n", cur_stream->id);
    SendTCPPacketStandalone(mtcp,               iph->daddr, tcph->dest, iph->saddr, tcph->source,   0, seq + payloadlen + 1, 0, TCP_FLAG_RST | TCP_FLAG_ACK,        NULL, 0, cur_ts, 0);
        cur_stream->close_reason = TCP_ACTIVE_CLOSE;
    DestroyTCPStream(mtcp, cur_stream);
}
    AddtoControlList(mtcp, cur_stream, cur_ts);

if cur_stream->socket is NULL, this code will call AddtoControlList after DestroyTCPStream

ajamshed commented 6 years ago

simpx, Apologies for the delayed response. I am surprised that no one caught this issue earlier. You are right. This needs a return statement right after DestroyTCPStream(...). I will add this fix in my next check in.