fix crash after closing channel

2024-12-08 23:33:07 +01:00 · 2016-07-08 15:40:29 +09:00 · 2016-07-08 15:40:29 +09:00 · 6625248fc7
commit 6625248fc7
parent d38637e858
3 changed files with 49 additions and 0 deletions
--- a/c/meterpreter/source/common/channel.c
+++ b/c/meterpreter/source/common/channel.c
@ -800,6 +800,24 @@ VOID channel_remove_list_entry(Channel *channel)
 	}
 }

+/*
+* Determines whether the specified channel exists
+*/
+BOOL channel_exists(Channel *channel)
+{
+	Channel *current;
+
+	for (current = channelList; current; current = current->next)
+	{
+		if (current == channel)
+		{
+			return TRUE;
+		}
+	}
+
+	return FALSE;
+}
+
 /**************
 * Default IO *
 **************/
--- a/c/meterpreter/source/common/channel.h
+++ b/c/meterpreter/source/common/channel.h
@ -212,5 +212,6 @@ LINKAGE DWORD channel_interact(Channel *channel, Remote *remote, Tlv *addend,
 * Channel searching
 */
 LINKAGE Channel *channel_find_by_id(DWORD id);
+LINKAGE BOOL channel_exists(Channel *channel);

 #endif
--- a/c/meterpreter/source/extensions/stdapi/server/sys/process/process.c
+++ b/c/meterpreter/source/extensions/stdapi/server/sys/process/process.c
@ -1052,6 +1052,10 @@ DWORD process_channel_read(Channel *channel, Packet *request,

 	dprintf("[PROCESS] process_channel_read. channel=0x%08X, ctx=0x%08X", channel, ctx);

+	if (ctx == NULL)
+	{
+		return result;
+	}
 #ifdef _WIN32
 	if (!ReadFile(ctx->pStdout, buffer, bufferSize, bytesRead, NULL))
 		result = GetLastError();
@ -1076,6 +1080,11 @@ DWORD process_channel_write( Channel *channel, Packet *request,
 	DWORD result = ERROR_SUCCESS;

 	dprintf( "[PROCESS] process_channel_write. channel=0x%08X, ctx=0x%08X", channel, ctx );
+
+	if (ctx == NULL)
+	{
+		return result;
+	}
 #ifdef _WIN32
 	if ( !WriteFile( ctx->pStdin, buffer, bufferSize, bytesWritten, NULL ) )
 		result = GetLastError();
@ -1098,6 +1107,10 @@ DWORD process_channel_close( Channel *channel, Packet *request, LPVOID context )

 	dprintf( "[PROCESS] process_channel_close. channel=0x%08X, ctx=0x%08X", channel, ctx );

+	if (ctx == NULL)
+	{
+		return result;
+	}
 	if ( ctx->pProcess != NULL ) {
 		dprintf( "[PROCESS] channel has an attached process, closing via scheduler signal. channel=0x%08X, ctx=0x%08X", channel, ctx );
 		scheduler_signal_waitable( ctx->pStdout, Stop );
@ -1119,9 +1132,14 @@ DWORD process_channel_interact_destroy( HANDLE waitable, LPVOID entryContext, LP
 {
 	ProcessChannelContext *ctx = (ProcessChannelContext *)threadContext;
 	DWORD dwResult = ERROR_SUCCESS;
+	Channel *channel = (Channel *)entryContext;

 	dprintf( "[PROCESS] terminating context 0x%p", ctx );

+	if (ctx == NULL)
+	{
+		return dwResult;
+	}
 #ifdef _WIN32

 	CloseHandle( ctx->pStdin );
@ -1143,6 +1161,10 @@ DWORD process_channel_interact_destroy( HANDLE waitable, LPVOID entryContext, LP
 #endif

 	free( ctx );
+	if (channel_exists(channel))
+	{
+		channel->ops.pool.native.context = NULL;
+	}

 	return dwResult;
 }
@ -1159,6 +1181,10 @@ DWORD process_channel_interact_notify(Remote *remote, LPVOID entryContext, LPVOI
 	CHAR buffer[16384];
 	DWORD result = ERROR_SUCCESS;

+	if (!channel_exists(channel) || ctx == NULL)
+	{
+		return result;
+	}
 #ifdef _WIN32
 	if( PeekNamedPipe( ctx->pStdout, NULL, 0, NULL, &bytesAvail, NULL ) )
 	{
@ -1225,6 +1251,10 @@ DWORD process_channel_interact(Channel *channel, Packet *request, LPVOID context

 	dprintf( "[PROCESS] process_channel_interact. channel=0x%08X, ctx=0x%08X, interact=%d", channel, ctx, interact );

+	if (!channel_exists(channel) || ctx == NULL)
+	{
+		return result;
+	}
 	// If the remote side wants to interact with us, schedule the stdout handle
 	// as a waitable item
 	if (interact) {