From: Andrew J. Schorr <ajschorr@alumni.princeton.edu>
Date: Tue, 11 Jul 2006 00:06:49 +0000 (+0000)
Subject: [lib] Do not call vty_close in vty_log_out to avoid possible free memory access
X-Git-Tag: frr-2.0-rc1~2638
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=9d0a3260b2d1b57b7edfd3f72885d861883d4621;p=mirror%2Ffrr.git

[lib] Do not call vty_close in vty_log_out to avoid possible free memory access

2006-07-10 Andrew J. Schorr <ajschorr@alumni.princeton.edu>

	* vty.c: (vty_log_out) Do not call vty_close, because this could
	  result in a parent function's accessing the freed memory.
	  Instead, set status VTY_CLOSE and call shutdown(vty->fd, SHUT_RDWR).
	  And add a comment on vty_close.
---

diff --git a/lib/ChangeLog b/lib/ChangeLog
index 25df2657e0..02148671a9 100644
--- a/lib/ChangeLog
+++ b/lib/ChangeLog
@@ -1,3 +1,10 @@
+2006-07-10 Andrew J. Schorr <ajschorr@alumni.princeton.edu>
+
+	* vty.c: (vty_log_out) Do not call vty_close, because this could
+	  result in a parent function's accessing the freed memory.
+	  Instead, set status VTY_CLOSE and call shutdown(vty->fd, SHUT_RDWR).
+	  And add a comment on vty_close.
+
 2006-07-10 Andrew J. Schorr <ajschorr@alumni.princeton.edu>
 
 	* vty.c: (vty_log_out, vty_read, vty_flush, vtysh_flush, vtysh_read)
diff --git a/lib/vty.c b/lib/vty.c
index 98e75060f0..4288e150d1 100644
--- a/lib/vty.c
+++ b/lib/vty.c
@@ -186,7 +186,10 @@ vty_log_out (struct vty *vty, const char *level, const char *proto_str,
       zlog_warn("%s: write failed to vty client fd %d, closing: %s",
 		__func__, vty->fd, safe_strerror(errno));
       buffer_reset(vty->obuf);
-      vty_close(vty);
+      /* cannot call vty_close, because a parent routine may still try
+         to access the vty struct */
+      vty->status = VTY_CLOSE;
+      shutdown(vty->fd, SHUT_RDWR);
       return -1;
     }
   return 0;
@@ -2141,7 +2144,10 @@ vty_serv_sock (const char *addr, unsigned short port, const char *path)
 #endif /* VTYSH */
 }
 
-/* Close vty interface. */
+/* Close vty interface.  Warning: call this only from functions that
+   will be careful not to access the vty afterwards (since it has
+   now been freed).  This is safest from top-level functions (called
+   directly by the thread dispatcher). */
 void
 vty_close (struct vty *vty)
 {