Land #10699, Avoid double-closing meterpreter channels

lib/rex/post/meterpreter/channel.rb

@@ -140,6 +140,7 @@ class Channel
     self.cid    = cid
     self.type   = type
     self.flags  = flags
+    @mutex  = Mutex.new
 
     # Add this instance to the list
     if (cid and client)
@@ -150,8 +151,12 @@ class Channel
     ObjectSpace.define_finalizer(self, self.class.finalize(client, cid))
   end
 
-  def self.finalize(client,cid)
-    proc { self._close(client,cid) }
+  def self.finalize(client, cid)
+    proc {
+      unless cid.nil?
+        self._close(client, cid)
+      end
+    }
   end
 
   ##
@@ -301,11 +306,14 @@ class Channel
   end
 
   def _close(addends = nil)
-    unless self.cid.nil?
-      ObjectSpace.undefine_finalizer(self)
-      self.class._close(self.client, self.cid, addends)
-      self.cid = nil
-    end
+    # let the finalizer do the work behind the scenes
+    @mutex.synchronize {
+      unless self.cid.nil?
+        ObjectSpace.undefine_finalizer(self)
+        self.class._close(self.client, self.cid, addends)
+        self.cid = nil
+      end
+    }
   end
   #
   # Enables or disables interactive mode.
@@ -370,7 +378,11 @@ class Channel
   # Stub close handler.
   #
   def dio_close_handler(packet)
-    client.remove_channel(self.cid)
+    @mutex.synchronize {
+      cid = self.cid
+      self.cid = nil
+    }
+    client.remove_channel(cid)
 
     # Trap IOErrors as parts of the channel may have already been closed
     begin
@@ -378,9 +390,6 @@ class Channel
     rescue IOError
     end
 
-    # No more channel action, foo.
-    self.cid = nil
-
     return true
   end
 

lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb

@@ -98,6 +98,8 @@ class TcpClientChannel < Rex::Post::Meterpreter::Stream
   # 2 -> both
   #
   def shutdown(how = 1)
+    return false if self.cid.nil?
+
     request = Packet.create_request('stdapi_net_socket_tcp_shutdown')
 
     request.add_tlv(TLV_TYPE_SHUTDOWN_HOW, how)