data-control: Fix use-after-free in on_receive #336
Conversation
|
Thanks for tracking this down!
|
|
Actually, the handler should be referenced by |
That makes sense. There can be multiple handlers running concurrently so they would need to be stored in some list/queue though. I also think it that it makes sense that the receive context is decoupled from the client. I thought that was the intention when reading the code, and none of the things in receive_context are necessarily tied to the client (cleaned up when it's gone). Edit: But I guess aml_stop would then need to be called for them when the server stops. So between server and client it makes more sense to just stop them when the client is destroyed if they are still running. |
layercak3
force-pushed
the
data-control-uaf
branch
from
f7a939f to
f1a6da0
Compare
|
I just added the receive context/aml handler to a linked list so I can stop the receive contexts when closing the client. |
layercak3
force-pushed
the
data-control-uaf
branch
from
f1a6da0 to
9b26011
Compare
|
I understand it better now. Thanks for your help and blog post. |
|
blog post? |
|
https://andri.yngvason.is/managing-object-lifetimes-in-c.html |
layercak3
force-pushed
the
data-control-uaf
branch
from
9b26011 to
8399afc
Compare
Previously the receive handlers were kept alive after the client was closed. These can just be cancelled when the client is closed. This also fixes a use-after-free because a reference to data_control (part of wayvnc_client) is in the receive_context.
The data_control reference was only used to get to the server.
layercak3
force-pushed
the
data-control-uaf
branch
from
8399afc to
fa4cfda
Compare
|
LGTM. |
|
Thanks! |
If a client is closed between the time that one of its receive contexts is created and the time that the receive context is finished reading from its fd, when it is finished and finally calls nvnc_send_cut_text it will access ctx->data_control->server, but data_control is part of the wayvnc_client object which was freed when the client was closed.
The only purpose of the data_control pointer being in receive_context was to pass data_control->server to nvnc_send_cut_text, so receive_context can just store that server pointer itself.
This was the issue I found in any1/neatvnc#114 (comment)
Can be reproduced by having a VNC client open, then
wl-copy < /some/obnoxiously/large/uncompressible/texton the server and immediately closing the VNC client after running that command.I have read and understood CONTRIBUTING.md.