|
1 Upstream patch/fix that was included in the next release of pcsclite: |
|
2 https://anonscm.debian.org/cgit/pcsclite/PCSC.git/patch/?id=697fe05967af7ea215bcd5d5774be587780c9e22 |
|
3 patch by Peter Wu <[email protected]> 2016-12-25 22:31:24 (GMT) |
|
4 committed by Ludovic Rousseau <[email protected]> 2016-12-30 16:18:39 (GMT) |
|
5 |
|
6 Once MSGRemoveContext is invoked (via SCARD_RELEASE_CONTEXT), cardsList is freed. |
|
7 A repeated invocation of SCARD_RELEASE_CONTEXT (with an empty context handle) |
|
8 results in a use-after-free followed by a double-free. After MSGRemoveContext, |
|
9 invocation of SCardEstablishContext enable further use-after-free of cardsList in |
|
10 MSGCheckHandleAssociation, MSGRemoveContext, MSGAddHandle, MSGRemoveHandle. |
|
11 |
|
12 To avoid this problem, destroy the list only when the client connection is terminated. |
|
13 |
|
14 This patch was based on the above and modified to work with our v1.8.14 of the pcsc-lite source code |
|
15 and named accordingly to build with our existing Solaris pcsc-lite userland patch layout. |
|
16 |
|
17 --- a/src/winscard_svc.c 2017-01-09 14:27:56.897972773 -0500 |
|
18 +++ b/src/winscard_svc.c 2017-01-09 14:26:46.043849006 -0500 |
|
19 @@ -868,7 +868,6 @@ |
|
20 UNREF_READER(rContext) |
|
21 } |
|
22 (void)pthread_mutex_unlock(&threadContext->cardsList_lock); |
|
23 - list_destroy(&threadContext->cardsList); |
|
24 |
|
25 /* We only mark the context as no longer in use. |
|
26 * The memory is freed in MSGCleanupCLient() */ |
|
27 @@ -979,6 +978,11 @@ |
|
28 (void)MSGRemoveContext(threadContext->hContext, threadContext); |
|
29 } |
|
30 |
|
31 + |
|
32 + (void)pthread_mutex_lock(&threadContext->cardsList_lock); |
|
33 + list_destroy(&threadContext->cardsList); |
|
34 + (void)pthread_mutex_unlock(&threadContext->cardsList_lock); |
|
35 + |
|
36 Log3(PCSC_LOG_DEBUG, |
|
37 "Thread is stopping: dwClientID=%d, threadContext @%p", |
|
38 threadContext->dwClientID, threadContext); |
|
39 |