https://gitlab.synchro.net/main/sbbs/-/commit/f95f67ac43c455993a84f03d
Modified Files:
src/sbbs3/sbbs_ini.c
Log Message:
Fix double-free race condition with SBBSCTRL upon global recycle

When multiple servers are recycling at the same time, (e.g. due to saved
change in SCFG) they'd each call sbbs_read_ini() with a shared global_startup
struct, which in turn calls sbbs_free_ini(), which would free all the
allocated network interface lists (including the global_startup one) using
iniFreeStringList (just a wrapper for strListFree), but iniFreeStringList()
does NOT modify (NULLify) the freed-pointer, so your second or third server
that called sbbs_read_ini(), with the shared MainForm->global structure, would
*again* free the same global interface list. This bug actually has always
existed because get_ini_globals() freed the global interface list in the same
way, except it *immediately* re-allocated a new one by calling
iniGetStringList(), so the time window (opportunity) for this race condition
to occur was much smaller. Truly, SBBSCTRL should use a mutex or other
mechanism to protect the shared global_startup struct, but this is a first
step to a full fix: sbbs_free_ini() should (and now does) nullify the freed
network interface pointers by using strListFree() directly. I haven't been
able to reproduce the crash upon recycle in SBBSCTRL after making this change.

---
■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net