From 4b5d15ec2b1f148b4f718ed16d7e7f022b19fe1b Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Tue, 9 Feb 2021 15:00:59 +0100 Subject: [PATCH] device: lock elem in autodraining queue before freeing Without this, we wind up freeing packets that the encryption/decryption queues still have, resulting in a UaF. Signed-off-by: Jason A. Donenfeld --- device/channels.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/device/channels.go b/device/channels.go index 8cd6aee..4bd6090 100644 --- a/device/channels.go +++ b/device/channels.go @@ -89,6 +89,7 @@ func newAutodrainingInboundQueue(device *Device) chan *QueueInboundElement { if elem == nil { continue } + elem.Lock() device.PutMessageBuffer(elem.buffer) device.PutInboundElement(elem) default: @@ -118,6 +119,7 @@ func newAutodrainingOutboundQueue(device *Device) chan *QueueOutboundElement { if elem == nil { continue } + elem.Lock() device.PutMessageBuffer(elem.buffer) device.PutOutboundElement(elem) default: