[Bro] rpc decoder possible double-free problem

jmzhou.ml at gmail.com jmzhou.ml at gmail.com
Wed Jul 25 22:19:33 PDT 2007


Hi,

I notice that in ~RPC_Reply, there is a statement "delete call_;". However,
this call_ is instantiated by calling t_context->connection()->FindCall(
msg()->xid()). This means that it is not "new"ed. This call_ supposely is
deleted in the ~RPC_Message. Thus, there is a potential double-free here.

The root cause is that binpac generates the "delete call_" for &let field.
This is incorrect behavior. However, I haven't figured out how to fix it
in binpac.

A quick fix to this problem is to modify the rpc-protocol.pac:RPC_Reply,
replacing the RPC_AcceptedReply(call) and RPC_RejectedReply(call) with:
   RPC_AcceptedReply($context.conn.FindCall(msg.xid))
   RPC_RejectedReply($context.conn.FindCall(msg.xid))

Cheers,

Jimmy
____________________________________________________________
The future is not set.  There is no fate but what we make
for ourselves.             - Terminator II, Judgment Day
------------------------------------------------------------



More information about the Bro mailing list