SCardReleaseContext: prevent use-after-free of cardsList

Once MSGRemoveContext is invoked (via SCARD_RELEASE_CONTEXT), cardsList is freed. A repeated invocation of SCARD_RELEASE_CONTEXT (with an empty context handle) results in a use-after-free followed by a double-free. After MSGRemoveContext, invocation of SCardEstablishContext enable further use-after-free of cardsList in MSGCheckHandleAssociation, MSGRemoveContext, MSGAddHandle, MSGRemoveHandle. To avoid this problem, destroy the list only when the client connection is terminated.

SCardReleaseContext: prevent use-after-free of cardsList
697fe059 · Peter Wu · Ludovic Rousseau · c10dac9c · 697fe059
Commit 697fe059 authored 8 years ago by Peter Wu Committed by Ludovic Rousseau 8 years ago
--- a/src/winscard_svc.c
+++ b/src/winscard_svc.c
@@ -881,7 +881,6 @@ static LONG MSGRemoveContext(SCARDCONTEXT hContext, SCONTEXT * threadContext)
 		UNREF_READER(rContext)
 	}
 	(void)pthread_mutex_unlock(&threadContext->cardsList_lock);
-	list_destroy(&threadContext->cardsList);

 	/* We only mark the context as no longer in use.
 	 * The memory is freed in MSGCleanupCLient() */
@@ -992,6 +991,10 @@ static LONG MSGCleanupClient(SCONTEXT * threadContext)
 		(void)MSGRemoveContext(threadContext->hContext, threadContext);
 	}

+	(void)pthread_mutex_lock(&threadContext->cardsList_lock);
+	list_destroy(&threadContext->cardsList);
+	(void)pthread_mutex_unlock(&threadContext->cardsList_lock);
+
 	Log3(PCSC_LOG_DEBUG,
 		"Thread is stopping: dwClientID=%d, threadContext @%p",
 		threadContext->dwClientID, threadContext);