pppoe: disc: do not free the net struct in disc_stop

Assuming there is only one server associated with the current net object, freeing the net object at the end of disc_stop could potentially create a use-after-free error since before that, we queued an asynchronous call to _serv_stop, which in turn calls pppoe_disc_stop. Since pppoe_disc_stop acquires a pointer to the net object at the beginning of its run, and uses it all throughout as part of its locking, having free_net running alongside could result in the memory backing the lock being freed while the code is running. Signed-off-by: Simon Chopin <[email protected]>
xebd · Jun 23, 2020 · 0a99b9a · 0a99b9a
1 parent ed7b287
commit 0a99b9a
Showing 1 changed file with 0 additions and 3 deletions.
diff --git a/accel-pppd/ctrl/pppoe/disc.c b/accel-pppd/ctrl/pppoe/disc.c
@@ -279,9 +279,6 @@ static void disc_stop(struct disc_net *net)
 		}
 		pthread_mutex_unlock(&t->lock);
 	}
-
-	if (__sync_sub_and_fetch(&net->refs, 1) == 0)
-		free_net(net);
 }