From 1b9ac396ba7716e3d2fc1f452d3b8c70a0dc4ce9 Mon Sep 17 00:00:00 2001 From: synqa Date: Sun, 18 Jan 2026 22:13:46 +0900 Subject: [PATCH] Fix dangling pointer Previously, The address of a local stack variable was passed to a new thread. Fix dangling pointer by switching to dynamic allocation. This problem is also known as CVE-2025-25568. --- src/Cedar/Command.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/Cedar/Command.c b/src/Cedar/Command.c index dce502bb..b1c719f3 100644 --- a/src/Cedar/Command.c +++ b/src/Cedar/Command.c @@ -99,6 +99,8 @@ void CheckNetworkAcceptThread(THREAD *thread, void *param) Disconnect(s); ReleaseSock(s); + + Free(c); } @@ -155,15 +157,15 @@ void CheckNetworkListenThread(THREAD *thread, void *param) } else { - CHECK_NETWORK_2 c; + CHECK_NETWORK_2 *c; THREAD *t; - Zero(&c, sizeof(c)); - c.s = new_sock; - c.k = pri; - c.x = x; + c = ZeroMalloc(sizeof(CHECK_NETWORK_2)); + c->s = new_sock; + c->k = pri; + c->x = x; - t = NewThread(CheckNetworkAcceptThread, &c); + t = NewThread(CheckNetworkAcceptThread, c); Insert(o, t); } }