Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UAF crash #111

Open
mexmer opened this issue Mar 1, 2023 · 1 comment
Open

UAF crash #111

mexmer opened this issue Mar 1, 2023 · 1 comment

Comments

@mexmer
Copy link
Contributor

mexmer commented Mar 1, 2023

libirecovery/src/libirecovery.c

Line 903 in 3962e48

if (mobiledevice_openpipes(_client) != IRECV_E_SUCCESS) {
causes crash under some condition.

mobiledevice_openpipes calls irecv_close on error, which releases client object and returns IRECV_E_SUCCESS, but this value is ignored and error is propagated back, later on multiple spots there is error handling, that involves calling members of client, without prior checking that client is null

https://github.com/libimobiledevice/libirecovery/blob/master/src/libirecovery.c#L904
https://github.com/libimobiledevice/libirecovery/blob/master/src/libirecovery.c#L925
https://github.com/libimobiledevice/libirecovery/blob/master/src/libirecovery.c#L948

also since it's inside cycle, even if mobiledevice_closepipes would not crash, still it will crash in next iteration of loop.
@mexmer
Copy link
Contributor Author

mexmer commented Mar 1, 2023

also one more note, if irecv_close is intended to release irecv_client i suggest renaming function to something like irecv_client_free instead ... current name suggest, it closes client connections, not deleting/releasing client object.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mexmer