[retry] Fix potential use-after-free in timer_expired()

timer->refcnt is allowed to be NULL, in which case the timer's
expired() method may end up freeing the timer object.

Discovered using valgrind.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/net/retry.c b/src/net/retry.c
index 0aa165abbbd84f6e9b22f649d6794f3afd7551bf..7e20f0c8a835644c13ceeff622aacb92035321c9 100644 (file)
--- a/src/net/retry.c
+++ b/src/net/retry.c
@@ -148,6 +148,7 @@ void stop_timer ( struct retry_timer *timer ) {
  * @v timer            Retry timer
  */
 static void timer_expired ( struct retry_timer *timer ) {
+       struct refcnt *refcnt = timer->refcnt;
        int fail;
 
        /* Stop timer without performing RTT calculations */
@@ -169,8 +170,9 @@ static void timer_expired ( struct retry_timer *timer ) {
 
        /* Call expiry callback */
        timer->expired ( timer, fail );
+       /* If refcnt is NULL, then timer may already have been freed */
 
-       ref_put ( timer->refcnt );
+       ref_put ( refcnt );
 }
 
 /**