From 233fa24ffd63f2ec48c4df11ec8a3ac7dd472718 Mon Sep 17 00:00:00 2001 From: ejurgensen Date: Sun, 24 Jan 2016 21:05:52 +0100 Subject: [PATCH] [raop] Fix possibly old "read after free" bug --- src/outputs/raop.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/outputs/raop.c b/src/outputs/raop.c index 2aa35977..752d6231 100644 --- a/src/outputs/raop.c +++ b/src/outputs/raop.c @@ -1692,6 +1692,8 @@ raop_session_free(struct raop_session *rs) free(rs->output_session); free(rs); + + rs = NULL; } static void @@ -3237,6 +3239,9 @@ raop_v2_send_packet(struct raop_session *rs, struct raop_v2_packet *pkt) uint8_t *data; int ret; + if (!rs) + return -1; + data = (rs->encrypt) ? pkt->encrypted : pkt->clear; ret = send(rs->server_fd, data, AIRTUNES_V2_PKT_LEN, 0); @@ -3265,6 +3270,7 @@ raop_v2_write(uint8_t *buf, uint64_t rtptime) { struct raop_v2_packet *pkt; struct raop_session *rs; + struct raop_session *next; pkt = raop_v2_make_packet(buf, rtptime); if (!pkt) @@ -3283,8 +3289,11 @@ raop_v2_write(uint8_t *buf, uint64_t rtptime) else sync_counter++; - for (rs = sessions; rs; rs = rs->next) + for (rs = sessions; rs; rs = next) { + // raop_v2_send_packet may free rs on failure, so save rs->next now + next = rs->next; + if (rs->state != OUTPUT_STATE_STREAMING) continue; @@ -3344,7 +3353,6 @@ raop_v2_resend_range(struct raop_session *rs, uint16_t seqnum, uint16_t len) if (ret < 0) { DPRINTF(E_LOG, L_RAOP, "Error retransmit packet, aborting retransmission\n"); - return; }