If a fd satisfies both POLLIN and POLLOUT in the same cycle, but the

mirror of https://github.com/openbsd/src.git synced 2026-04-17 02:34:41 +00:00

POLLIN resulted in a file close, the POLLOUT runs incorrectly which
matters in the TLS context which attempts to read after free.
from James J. Lippard
ok millert

This commit is contained in:

deraadt

2026-04-02 17:23:04 +00:00

parent cb64dfb359

commit 877bcf024a

1 changed files with 4 additions and 2 deletions

									
										6

libexec/spamd/spamd.c
									
												View File
												
				@@ -1,4 +1,4 @@

				/*	$OpenBSD: spamd.c,v 1.163 2024/05/09 08:35:03 florian Exp $	*/

				/*	$OpenBSD: spamd.c,v 1.164 2026/04/02 17:23:04 deraadt Exp $	*/

				/*

				 * Copyright (c) 2015 Henning Brauer <henning@openbsd.org>

				@@ -761,6 +761,7 @@ closecon(struct con *cp)

					if (cp->cctx) {

						tls_close(cp->cctx);

						tls_free(cp->cctx);

						cp->cctx = NULL;

					}

					close(cp->pfd->fd);

					cp->pfd->fd = -1;

				@@ -1653,7 +1654,8 @@ jail:

								else

									handler(&con[i]);

							}

							if (pfd[PFD_FIRSTCON + i].revents & POLLOUT) {

							if (con[i].pfd->fd != -1 &&

							    (pfd[PFD_FIRSTCON + i].revents & POLLOUT)) {

								if (con[i].tlsaction ==

								    SPAMD_TLS_ACT_READ_POLLOUT)

									handler(&con[i]);

If a fd satisfies both POLLIN and POLLOUT in the same cycle, but the

6 libexec/spamd/spamd.c Unescape Escape View File

6

libexec/spamd/spamd.c

View File