From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 28 Nov 2022 09:04:52 +0000 (+0100)
Subject: - Fix for the ignore of tcp events for closed comm points, preserve
X-Git-Tag: release-1.17.1rc1~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f7da59b7744c345be580db2bd9b37380cab5a42;p=thirdparty%2Funbound.git

- Fix for the ignore of tcp events for closed comm points, preserve
  the use after free protection features.
---

diff --git a/doc/Changelog b/doc/Changelog
index 0375b0716..17b25f1f8 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+28 November 2022: Wouter
+	- Fix for the ignore of tcp events for closed comm points, preserve
+	  the use after free protection features.
+
 22 November 2022: George
 	- Ignore expired error responses.
 
diff --git a/util/netevent.c b/util/netevent.c
index 6ddeb076d..fe3d51164 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -2665,6 +2665,7 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg)
 #endif
 		) {
 		int has_tcpq = (c->tcp_req_info != NULL);
+		int* moreread = c->tcp_more_read_again;
 		if(!comm_point_tcp_handle_read(fd, c, 0)) {
 			reclaim_tcp_handler(c);
 			if(!c->tcp_do_close) {
@@ -2679,12 +2680,13 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg)
 			if(!tcp_req_info_read_again(fd, c))
 				return;
 		}
-		if(c->tcp_more_read_again && *c->tcp_more_read_again)
+		if(moreread && *moreread)
 			tcp_more_read_again(fd, c);
 		return;
 	}
 	if(event&UB_EV_WRITE) {
 		int has_tcpq = (c->tcp_req_info != NULL);
+		int* morewrite = c->tcp_more_write_again;
 		if(!comm_point_tcp_handle_write(fd, c)) {
 			reclaim_tcp_handler(c);
 			if(!c->tcp_do_close) {
@@ -2699,7 +2701,7 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg)
 			if(!tcp_req_info_read_again(fd, c))
 				return;
 		}
-		if(c->tcp_more_write_again && *c->tcp_more_write_again)
+		if(morewrite && *morewrite)
 			tcp_more_write_again(fd, c);
 		return;
 	}
@@ -4495,6 +4497,11 @@ comm_point_close(struct comm_point* c)
 		tcp_req_info_clear(c->tcp_req_info);
 	if(c->h2_session)
 		http2_session_server_delete(c->h2_session);
+	/* stop the comm point from reading or writing after it is closed. */
+	if(c->tcp_more_read_again && *c->tcp_more_read_again)
+		*c->tcp_more_read_again = 0;
+	if(c->tcp_more_write_again && *c->tcp_more_write_again)
+		*c->tcp_more_write_again = 0;
 
 	/* close fd after removing from event lists, or epoll.. is messed up */
 	if(c->fd != -1 && !c->do_not_close) {