[retry] Fix potential use-after-free in timer_expired()

timer->refcnt is allowed to be NULL, in which case the timer's expired() method may end up freeing the timer object. Discovered using valgrind. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2011-07-16 01:46:12 +01:00 · 2011-07-16 01:46:12 +01:00 · 17f09dfe03
parent 5b41381f33
commit 17f09dfe03
1 changed files with 3 additions and 1 deletions
--- a/src/net/retry.c
+++ b/src/net/retry.c
@ -148,6 +148,7 @@ void stop_timer ( struct retry_timer *timer ) {
 * @v timer		Retry timer
 */
 static void timer_expired ( struct retry_timer *timer ) {
+	struct refcnt *refcnt = timer->refcnt;
 	int fail;

 	/* Stop timer without performing RTT calculations */
@ -169,8 +170,9 @@ static void timer_expired ( struct retry_timer *timer ) {

 	/* Call expiry callback */
 	timer->expired ( timer, fail );
+	/* If refcnt is NULL, then timer may already have been freed */

-	ref_put ( timer->refcnt );
+	ref_put ( refcnt );
 }

 /**