Commit ea64d5f0 authored Nov 13, 2016 by Samuel Thibault

slirp: Fix access to freed memory



if_start() goes through the slirp->if_fastq and slirp->if_batchq
list of pending messages, and accesses ifm->ifq_so->so_nqueued of its
elements if ifm->ifq_so != NULL.  When freeing a socket, we thus need
to make sure that any pending message for this socket does not refer
to the socket any more.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Tested-by: Brian Candler <b.candler@pobox.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

parent 83c83f9a

slirp/socket.c

+17 −0

Original line number	Diff line number	Diff line
		@@ -66,6 +66,23 @@ void
		sofree(struct socket *so)
		{
		Slirp *slirp = so->slirp;
		struct mbuf *ifm;

		for (ifm = (struct mbuf *) slirp->if_fastq.qh_link;
		(struct quehead *) ifm != &slirp->if_fastq;
		ifm = ifm->ifq_next) {
		if (ifm->ifq_so == so) {
		ifm->ifq_so = NULL;
		}
		}

		for (ifm = (struct mbuf *) slirp->if_batchq.qh_link;
		(struct quehead *) ifm != &slirp->if_batchq;
		ifm = ifm->ifq_next) {
		if (ifm->ifq_so == so) {
		ifm->ifq_so = NULL;
		}
		}

		if (so->so_emu==EMU_RSH && so->extra) {
		sofree(so->extra);