On Thu, Oct 26, 2023 at 10:47:36AM +0200, Martijn van Duren wrote: > So here's an elusive one that can be triggered every now and then by the > new regression test. Once an AgentX session is opened and we send an > invalid packet appl_agentx_recv() goes to appl_agentx_free(), since > there's no recovery. appl_agentx_free() tries to neatly close all > open sessions by sending a close-pdu, followed by calling > appl_agentx_send() directly. > However, if the socket has been closed in the meantime we hit > appl_agentx_send()'s error path, which also calls appl_agentx_free(). > This in turn leads to use after free cases. > > To fix this don't call appl_agentx_send() directly anymore, but just > schedule it via conn_wev. To make sure as much data as possible is > written out do a last unchecked courtesy flush before definitively > freeing the connection. Since appl_agentx_forceclose() arms conn_wev > move the event_del() calls down in appl_agentx_free(). > > Other calls of appl_agentx_send() should be fine, but just convert > all of them to be consistent and safe.
ok tb