From 6eed168b7dc8aef1e2dde19700ef8db07a372583 Mon Sep 17 00:00:00 2001 From: Cory McWilliams Date: Mon, 27 Dec 2021 22:28:27 +0000 Subject: [PATCH] Walking these callback lists that might unregister callbacks is a use after free hazard. Hmm. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@3709 ed5197a5-7fde-0310-b194-c3ffbd925b24 --- src/ssb.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/ssb.c b/src/ssb.c index 90f00978..618f92d6 100644 --- a/src/ssb.c +++ b/src/ssb.c @@ -563,8 +563,10 @@ bool tf_ssb_id_str_to_bin(uint8_t* bin, const char* str) static void _tf_ssb_notify_connections_changed(tf_ssb_t* ssb, tf_ssb_change_t change, tf_ssb_connection_t* connection) { - for (tf_ssb_connections_changed_callback_node_t* node = ssb->connections_changed; node; node = node->next) + tf_ssb_connections_changed_callback_node_t* next = NULL; + for (tf_ssb_connections_changed_callback_node_t* node = ssb->connections_changed; node; node = next) { + next = node->next; node->callback(ssb, change, connection, node->user_data); } } @@ -2088,8 +2090,10 @@ static void _tf_ssb_on_broadcast_listener_alloc(uv_handle_t* handle, size_t sugg static void _tf_ssb_notify_broadcasts_changed(tf_ssb_t* ssb) { - for (tf_ssb_broadcasts_changed_callback_node_t* node = ssb->broadcasts_changed; node; node = node->next) + tf_ssb_broadcasts_changed_callback_node_t* next = NULL; + for (tf_ssb_broadcasts_changed_callback_node_t* node = ssb->broadcasts_changed; node; node = next) { + next = node->next; if (node->callback) { node->callback(ssb, node->user_data); @@ -2162,8 +2166,10 @@ static void _tf_ssb_on_broadcast_listener_recv(uv_udp_t* handle, ssize_t nread, void tf_ssb_visit_broadcasts(tf_ssb_t* ssb, void (*callback)(const struct sockaddr_in* addr, const uint8_t* pub, void* user_data), void* user_data) { time_t now = time(NULL); - for (tf_ssb_broadcast_t* node = ssb->broadcasts; node; node = node->next) + tf_ssb_broadcast_t* next = NULL; + for (tf_ssb_broadcast_t* node = ssb->broadcasts; node; node = next) { + next = node->next; if (node->mtime - now < 60) { callback(&node->addr, node->pub, user_data); @@ -2417,8 +2423,10 @@ void tf_ssb_remove_message_added_callback(tf_ssb_t* ssb, tf_ssb_message_added_ca void tf_ssb_notify_message_added(tf_ssb_t* ssb, const char* id) { - for (tf_ssb_message_added_callback_node_t* node = ssb->message_added; node; node = node->next) + tf_ssb_message_added_callback_node_t* next = NULL; + for (tf_ssb_message_added_callback_node_t* node = ssb->message_added; node; node = next) { + next = node->next; node->callback(ssb, id, node->user_data); } } @@ -2461,8 +2469,10 @@ void tf_ssb_remove_blob_want_added_callback(tf_ssb_t* ssb, tf_ssb_blob_want_adde void tf_ssb_notify_blob_want_added(tf_ssb_t* ssb, const char* id) { - for (tf_ssb_blob_want_added_callback_node_t* node = ssb->blob_want_added; node; node = node->next) + tf_ssb_blob_want_added_callback_node_t* next = NULL; + for (tf_ssb_blob_want_added_callback_node_t* node = ssb->blob_want_added; node; node = next) { + next = node->next; node->callback(ssb, id, node->user_data); } }