summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2021-02-09 15:00:59 +0100
committerJason A. Donenfeld <Jason@zx2c4.com>2021-02-09 15:37:04 +0100
commit4b5d15ec2b1f148b4f718ed16d7e7f022b19fe1b (patch)
tree50c84857953c97478e3f3f7e9ebd97636f9c1129
parent6548a682a9a06cf7041e25f7aa5ac57f1f4cf3b4 (diff)
device: lock elem in autodraining queue before freeing
Without this, we wind up freeing packets that the encryption/decryption queues still have, resulting in a UaF. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-rw-r--r--device/channels.go2
1 files changed, 2 insertions, 0 deletions
diff --git a/device/channels.go b/device/channels.go
index 8cd6aee..4bd6090 100644
--- a/device/channels.go
+++ b/device/channels.go
@@ -89,6 +89,7 @@ func newAutodrainingInboundQueue(device *Device) chan *QueueInboundElement {
if elem == nil {
continue
}
+ elem.Lock()
device.PutMessageBuffer(elem.buffer)
device.PutInboundElement(elem)
default:
@@ -118,6 +119,7 @@ func newAutodrainingOutboundQueue(device *Device) chan *QueueOutboundElement {
if elem == nil {
continue
}
+ elem.Lock()
device.PutMessageBuffer(elem.buffer)
device.PutOutboundElement(elem)
default: