Use after free reported in #278 occurs because toxav_kill()

calls msi_kill() (toxav.c:180) which frees msi_call instances (msi.c:161) which are then used when call_remove() (toxav.c:1136) is called. This fix prevents call_remove() from calling invalid pointer. Fixes #278
author: mannol <eniz_vukovic@hotmail.com> 2016-12-20 22:31:47 +0100
committer: mannol <eniz_vukovic@hotmail.com> 2016-12-21 00:16:22 +0100
commit: 7122d2e862e028a730478d88cd61557fbed16ebf (patch)
tree: 6cf6f89b09ef8040fa33280c73d81022b16a316a /toxav/toxav.c
parent: de623f9eb99acdc8522ae18c3abe9eea760371a4 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/toxav/toxav.c b/toxav/toxav.c
index 49058b8f..59c0c1e4 100644
--- a/toxav/toxav.c
+++ b/toxav/toxav.c
@@ -188,6 +188,7 @@ void toxav_kill(ToxAV *av)
        while (it) {
            call_kill_transmission(it);
+            it->msi_call = NULL; /* msi_kill() frees the call's msi_call handle; which causes #278 */
            it = call_remove(it); /* This will eventually free av->calls */
        }
    }
author	mannol <eniz_vukovic@hotmail.com>	2016-12-20 22:31:47 +0100
committer	mannol <eniz_vukovic@hotmail.com>	2016-12-21 00:16:22 +0100
commit	7122d2e862e028a730478d88cd61557fbed16ebf (patch)
tree	6cf6f89b09ef8040fa33280c73d81022b16a316a /toxav/toxav.c
parent	de623f9eb99acdc8522ae18c3abe9eea760371a4 (diff)

diff --git a/toxav/toxav.c b/toxav/toxav.c index 49058b8f..59c0c1e4 100644 --- a/toxav/toxav.c +++ b/toxav/toxav.c
@@ -188,6 +188,7 @@ void toxav_kill(ToxAV *av)
188		188
189	while (it) {	189	while (it) {
190	call_kill_transmission(it);	190	call_kill_transmission(it);
		191	it->msi_call = NULL; /* msi_kill() frees the call's msi_call handle; which causes #278 */
191	it = call_remove(it); /* This will eventually free av->calls */	192	it = call_remove(it); /* This will eventually free av->calls */
192	}	193	}
193	}	194	}