[Pcsclite-git-commit] [PCSC] 01/03: SCardReleaseContext: prevent use-after-free of cardsList

Ludovic Rousseau rousseau at moszumanska.debian.org
Fri Dec 30 17:13:03 UTC 2016 

This is an automated email from the git hooks/post-receive script.

rousseau pushed a commit to branch master
in repository PCSC.

commit 697fe05967af7ea215bcd5d5774be587780c9e22
Author: Peter Wu <peter at lekensteyn.nl>
Date:   Sun Dec 25 23:31:24 2016 +0100

    SCardReleaseContext: prevent use-after-free of cardsList
    
    Once MSGRemoveContext is invoked (via SCARD_RELEASE_CONTEXT),
    cardsList is freed. A repeated invocation of SCARD_RELEASE_CONTEXT (with
    an empty context handle) results in a use-after-free followed by a
    double-free.
    
    After MSGRemoveContext, invocation of SCardEstablishContext enable
    further use-after-free of cardsList in MSGCheckHandleAssociation,
    MSGRemoveContext, MSGAddHandle, MSGRemoveHandle.
    
    To avoid this problem, destroy the list only when the client connection
    is terminated.
---
 src/winscard_svc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/winscard_svc.c b/src/winscard_svc.c
index 20f2976..406030f 100644
--- a/src/winscard_svc.c
+++ b/src/winscard_svc.c
@@ -881,7 +881,6 @@ static LONG MSGRemoveContext(SCARDCONTEXT hContext, SCONTEXT * threadContext)
 		UNREF_READER(rContext)
 	}
 	(void)pthread_mutex_unlock(&threadContext->cardsList_lock);
-	list_destroy(&threadContext->cardsList);
 
 	/* We only mark the context as no longer in use.
 	 * The memory is freed in MSGCleanupCLient() */
@@ -992,6 +991,10 @@ static LONG MSGCleanupClient(SCONTEXT * threadContext)
 		(void)MSGRemoveContext(threadContext->hContext, threadContext);
 	}
 
+	(void)pthread_mutex_lock(&threadContext->cardsList_lock);
+	list_destroy(&threadContext->cardsList);
+	(void)pthread_mutex_unlock(&threadContext->cardsList_lock);
+
 	Log3(PCSC_LOG_DEBUG,
 		"Thread is stopping: dwClientID=%d, threadContext @%p",
 		threadContext->dwClientID, threadContext);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pcsclite/PCSC.git

More information about the Pcsclite-cvs-commit mailing list