Fix memory corruption on socket close (#1113)

Fix memory corruption introduced by commit c8663f4a91 If there was an unsuccessful session registration in open_client_connection_session, it adds a timer (before it didn't). Later during runtime, at session destruction, it removes the client_socket in close_ioa_socket. Then the timer gets triggered and runs the cleanup method client_to_be_allocated_timeout_handler and tries to access the stored client_socket. This then fails as it already was freed. The fix just sets the client_socket pointer to null and then the timer should detect this and not access already freed memory. The issue affects version 4.6.0, 4.6.0-r0 and 4.6.0-r1. Co-authored-by: Paul Kramer <paul.kramer@logmein.com>
2022-12-03 10:23:19 +01:00 · 2022-12-03 10:23:19 +01:00 · d3e353fbb0
commit d3e353fbb0
parent 8b66fa4ff2
1 changed files with 9 additions and 3 deletions
--- a/src/apps/relay/ns_ioalib_engine_impl.c
+++ b/src/apps/relay/ns_ioalib_engine_impl.c
@ -1548,9 +1548,15 @@ void close_ioa_socket(ioa_socket_handle s)

 		close_socket_net_data(s);

-		s->session = NULL;
-		s->sub_session = NULL;
-		s->magic = 0;
+    if (s->session && s->session->client_socket == s) {
+      // Detaching client socket from super session to prevent mem corruption
+      // in case client_to_be_allocated_timeout_handler gets triggered
+      s->session->client_socket = NULL;
+    }
+
+    s->session = NULL;
+    s->sub_session = NULL;
+    s->magic = 0;

 		free(s);
 	}