From 8d3855ba31e454990a20cdf19b30fab8d3a7f095 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 13 May 2025 16:43:07 +0200 Subject: [PATCH] vici: Don't pass stack variable to thread cleanup handler The variable seems to get overwritten during cleanup, causing a segmentation fault because either the pointer and/or the length is invalid. --- src/libcharon/plugins/vici/vici_socket.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/src/libcharon/plugins/vici/vici_socket.c b/src/libcharon/plugins/vici/vici_socket.c index 39d34e4d3e..156f0c89dc 100644 --- a/src/libcharon/plugins/vici/vici_socket.c +++ b/src/libcharon/plugins/vici/vici_socket.c @@ -480,6 +480,15 @@ static bool do_read(private_vici_socket_t *this, entry_t *entry, return TRUE; } +/** + * Clear the given chunk and free it + */ +static void destroy_request_chunk(chunk_t *chunk) +{ + chunk_clear(chunk); + free(chunk); +} + /** * Callback processing incoming requests in strict order */ @@ -487,7 +496,7 @@ CALLBACK(process_queue, job_requeue_t, entry_selector_t *sel) { entry_t *entry; - chunk_t chunk; + chunk_t *chunk; bool found; u_int id; @@ -499,7 +508,8 @@ CALLBACK(process_queue, job_requeue_t, break; } - found = array_remove(entry->queue, ARRAY_HEAD, &chunk); + INIT(chunk); + found = array_remove(entry->queue, ARRAY_HEAD, chunk); if (!found) { entry->has_processor = FALSE; @@ -508,11 +518,12 @@ CALLBACK(process_queue, job_requeue_t, put_entry(sel->this, entry, TRUE, FALSE); if (!found) { + free(chunk); break; } - thread_cleanup_push((void*)chunk_clear, &chunk); - sel->this->inbound(sel->this->user, id, chunk); + thread_cleanup_push((void*)destroy_request_chunk, chunk); + sel->this->inbound(sel->this->user, id, *chunk); thread_cleanup_pop(TRUE); } return JOB_REQUEUE_NONE; -- 2.47.3