Merge branch '4549-heap-use-after-free-lib-isccc-ccmsg-c-160-in-ccmsg_senddone' into 'main'

Resolve "heap-use-after-free lib/isccc/ccmsg.c:160 in ccmsg_senddone" Closes #4549 See merge request isc-projects/bind9!8692
2026-06-08 22:22:05 -04:00 · 2024-02-08 17:34:46 +00:00 · 2024-02-08 17:34:46 +00:00 · 606f2daaa2
commit 606f2daaa2
parent de25743e00 6c15e45328
4 changed files with 11 additions and 17 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
+6341.	[bug]		Address use after free in ccmsg_senddone. [GL #4549]
+
 6340.	[test]		Fix incorrectly reported errors when running tests
 			with `make test` on platforms with older pytest.
 			[GL #4560]
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@ -262,10 +262,11 @@ control_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
 		/* Everything is peachy, continue reading from the socket */
 		isccc_ccmsg_readmessage(&conn->ccmsg, control_recvmessage,
 					conn);
-		goto done;
+		/* Detach the sending reference */
+		controlconnection_detach(&conn);
+		return;
 	}

-	/* This is the error path */
 	if (result != ISC_R_SHUTTINGDOWN) {
 		char socktext[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_t peeraddr = isc_nmhandle_peeraddr(handle);
@ -277,9 +278,9 @@ control_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
 			      socktext, isc_result_totext(result));
 	}

+	/* Shutdown the reading */
 	conn_shutdown(conn);

-done:
 	/* Detach the sending reference */
 	controlconnection_detach(&conn);
 }
@ -559,9 +560,6 @@ cleanup:
 	case ISC_R_EOF:
 		break;
 	default:
-		/* We can't get here on normal path */
-		INSIST(result != ISC_R_SUCCESS);
-
 		log_invalid(&conn->ccmsg, result);
 	}

--- a/lib/isccc/ccmsg.c
+++ b/lib/isccc/ccmsg.c
@ -102,10 +102,7 @@ recv_data(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region,

 done:
 	isc_nm_read_stop(handle);
-	if (ccmsg->reading) {
-		ccmsg->reading = false;
-		ccmsg->recv_cb(handle, eresult, ccmsg->recv_cbarg);
-	}
+	ccmsg->recv_cb(handle, eresult, ccmsg->recv_cbarg);

 	return;
 }
@ -145,7 +142,6 @@ isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg, isc_nm_cb_t cb, void *cbarg) {
 	ccmsg->recv_cbarg = cbarg;
 	ccmsg->length_received = false;

-	ccmsg->reading = true;
 	isc_nm_read(ccmsg->handle, recv_data, ccmsg);
 }

@ -154,14 +150,12 @@ ccmsg_senddone(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) {
 	isccc_ccmsg_t *ccmsg = arg;

 	REQUIRE(VALID_CCMSG(ccmsg));
+	REQUIRE(ccmsg->send_cb != NULL);

-	INSIST(ccmsg->send_cb != NULL);
-	ccmsg->send_cb(handle, eresult, ccmsg->send_cbarg);
+	isc_nm_cb_t send_cb = ccmsg->send_cb;
 	ccmsg->send_cb = NULL;

-	if (eresult != ISC_R_SUCCESS && ccmsg->reading) {
-		recv_data(handle, eresult, NULL, ccmsg);
-	}
+	send_cb(handle, eresult, ccmsg->send_cbarg);

 	isc_nmhandle_detach(&handle);
 }
@ -184,6 +178,7 @@ isccc_ccmsg_disconnect(isccc_ccmsg_t *ccmsg) {
 	REQUIRE(VALID_CCMSG(ccmsg));

 	if (ccmsg->handle != NULL) {
+		isc_nm_read_stop(ccmsg->handle);
 		isc_nmhandle_close(ccmsg->handle);
 		isc_nmhandle_detach(&ccmsg->handle);
 	}
--- a/lib/isccc/include/isccc/ccmsg.h
+++ b/lib/isccc/include/isccc/ccmsg.h
@ -54,7 +54,6 @@ typedef struct isccc_ccmsg {
 	void	       *recv_cbarg;
 	isc_nm_cb_t	send_cb;
 	void	       *send_cbarg;
-	bool		reading;
 } isccc_ccmsg_t;

 ISC_LANG_BEGINDECLS