From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 13 May 2025 14:43:07 +0000 (+0200)
Subject: vici: Don't pass stack variable to thread cleanup handler
X-Git-Tag: 6.0.2dr1~17^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8d3855ba31e454990a20cdf19b30fab8d3a7f095;p=thirdparty%2Fstrongswan.git

vici: Don't pass stack variable to thread cleanup handler

The variable seems to get overwritten during cleanup, causing a
segmentation fault because either the pointer and/or the length is
invalid.
---

diff --git a/src/libcharon/plugins/vici/vici_socket.c b/src/libcharon/plugins/vici/vici_socket.c
index 39d34e4d3e..156f0c89dc 100644
--- a/src/libcharon/plugins/vici/vici_socket.c
+++ b/src/libcharon/plugins/vici/vici_socket.c
@@ -480,6 +480,15 @@ static bool do_read(private_vici_socket_t *this, entry_t *entry,
 	return TRUE;
 }
 
+/**
+ * Clear the given chunk and free it
+ */
+static void destroy_request_chunk(chunk_t *chunk)
+{
+	chunk_clear(chunk);
+	free(chunk);
+}
+
 /**
  * Callback processing incoming requests in strict order
  */
@@ -487,7 +496,7 @@ CALLBACK(process_queue, job_requeue_t,
 	entry_selector_t *sel)
 {
 	entry_t *entry;
-	chunk_t chunk;
+	chunk_t *chunk;
 	bool found;
 	u_int id;
 
@@ -499,7 +508,8 @@ CALLBACK(process_queue, job_requeue_t,
 			break;
 		}
 
-		found = array_remove(entry->queue, ARRAY_HEAD, &chunk);
+		INIT(chunk);
+		found = array_remove(entry->queue, ARRAY_HEAD, chunk);
 		if (!found)
 		{
 			entry->has_processor = FALSE;
@@ -508,11 +518,12 @@ CALLBACK(process_queue, job_requeue_t,
 		put_entry(sel->this, entry, TRUE, FALSE);
 		if (!found)
 		{
+			free(chunk);
 			break;
 		}
 
-		thread_cleanup_push((void*)chunk_clear, &chunk);
-		sel->this->inbound(sel->this->user, id, chunk);
+		thread_cleanup_push((void*)destroy_request_chunk, chunk);
+		sel->this->inbound(sel->this->user, id, *chunk);
 		thread_cleanup_pop(TRUE);
 	}
 	return JOB_REQUEUE_NONE;