Fix another use after free in ua client, pull request is upstream.

2022-07-20 13:26:35 +00:00 · 2022-07-20 13:26:35 +00:00 · eb4ef200e3
commit eb4ef200e3
parent cec5de1f3e
2 changed files with 34 additions and 1 deletions
--- a/misc/open62541/Makefile
+++ b/misc/open62541/Makefile
@ -1,7 +1,7 @@
 COMMENT =	library implementation of OPC UA

 VERSION =	1.3.2
-REVISION =	0
+REVISION =	1
 DISTNAME =	open62541-${VERSION}
 PKGNAME =	open62541-${VERSION}

--- a/misc/open62541/patches/patch-src_client_ua_client_c
+++ b/misc/open62541/patches/patch-src_client_ua_client_c
@ -1,6 +1,9 @@
 refactor(client): Refactor NetworkCallback to make the unit tests work
 https://github.com/open62541/open62541/commit/de9d691906547c9fc99e0a77198a80fe5bba54b1

+fix(client): use after free in asyncServiceTimeoutCheck
+https://github.com/open62541/open62541/pull/5270
+
 Index: src/client/ua_client.c
 --- src/client/ua_client.c.orig
 +++ src/client/ua_client.c
@ -23,3 +26,33 @@ Index: src/client/ua_client.c
         LIST_REMOVE(ac, pointers);
         UA_Client_AsyncService_cancel(client, ac, statusCode);
         UA_free(ac);
+@@ -617,16 +626,27 @@ UA_Client_removeCallback(UA_Client *client, UA_UInt64 
+ 
+ static void
+ asyncServiceTimeoutCheck(UA_Client *client) {
+    /* Make this function reentrant. One of the async callbacks could indirectly
+     * operate on the list. Moving all elements to a local list before iterating
+     * that. */
+    UA_AsyncServiceList asyncServiceCalls;
+     AsyncServiceCall *ac, *ac_tmp;
+     UA_DateTime now = UA_DateTime_nowMonotonic();
+    LIST_INIT(&asyncServiceCalls);
+     LIST_FOREACH_SAFE(ac, &client->asyncServiceCalls, pointers, ac_tmp) {
+         if(!ac->timeout)
+            continue;
+         if(ac->start + (UA_DateTime)(ac->timeout * UA_DATETIME_MSEC) <= now) {
+             LIST_REMOVE(ac, pointers);
+-            UA_Client_AsyncService_cancel(client, ac, UA_STATUSCODE_BADTIMEOUT);
+-            UA_free(ac);
+            LIST_INSERT_HEAD(&asyncServiceCalls, ac, pointers);
+         }
+    }
+
+    /* Cancel and remove the elements from the local list */
+    LIST_FOREACH_SAFE(ac, &asyncServiceCalls, pointers, ac_tmp) {
+        LIST_REMOVE(ac, pointers);
+        UA_Client_AsyncService_cancel(client, ac, UA_STATUSCODE_BADTIMEOUT);
+        UA_free(ac);
+     }
+ }
+