From: Michael Brown <mcb30@ipxe.org>
Date: Sat, 16 Jul 2011 00:46:12 +0000 (+0100)
Subject: [retry] Fix potential use-after-free in timer_expired()
X-Git-Tag: v1.20.1~2084
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=17f09dfe03a8c6b46d30844d3cee28266b6971fe;p=thirdparty%2Fipxe.git

[retry] Fix potential use-after-free in timer_expired()

timer->refcnt is allowed to be NULL, in which case the timer's
expired() method may end up freeing the timer object.

Discovered using valgrind.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---

diff --git a/src/net/retry.c b/src/net/retry.c
index 0aa165abb..7e20f0c8a 100644
--- a/src/net/retry.c
+++ b/src/net/retry.c
@@ -148,6 +148,7 @@ void stop_timer ( struct retry_timer *timer ) {
  * @v timer		Retry timer
  */
 static void timer_expired ( struct retry_timer *timer ) {
+	struct refcnt *refcnt = timer->refcnt;
 	int fail;
 
 	/* Stop timer without performing RTT calculations */
@@ -169,8 +170,9 @@ static void timer_expired ( struct retry_timer *timer ) {
 
 	/* Call expiry callback */
 	timer->expired ( timer, fail );
+	/* If refcnt is NULL, then timer may already have been freed */
 
-	ref_put ( timer->refcnt );
+	ref_put ( refcnt );
 }
 
 /**