Use after free reported in TokTok#278 occurs because toxav_kill()

calls msi_kill() (toxav.c:180) which frees msi_call instances (msi.c:161) which are then used when call_remove() (toxav.c:1136) is called. This fix prevents call_remove() from calling invalid pointer. Fixes TokTok#278
uTox · Dec 20, 2016 · 7122d2e · 7122d2e
1 parent de623f9
commit 7122d2e
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/toxav/toxav.c b/toxav/toxav.c
@@ -188,6 +188,7 @@ void toxav_kill(ToxAV *av)
 
         while (it) {
             call_kill_transmission(it);
+            it->msi_call = NULL; /* msi_kill() frees the call's msi_call handle; which causes #278 */
             it = call_remove(it); /* This will eventually free av->calls */
         }
     }