From c9232acef855b51d1bc199a68c03c0695ac11192 Mon Sep 17 00:00:00 2001 From: Sander Vrijders Date: Fri, 21 Jun 2019 19:09:14 +0200 Subject: ipcpd: Fix use after free and uninitalized value This fixes a use after free in an error condition, and makes sure that pid is set in the flow_set early on, so flow_set_destroy won't create a prefix with an uninitialized pid in case of an error in shm_flow_set_create. Signed-off-by: Sander Vrijders Signed-off-by: Dimitri Staessens --- src/ipcpd/normal/fa.c | 2 +- src/lib/shm_flow_set.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ipcpd/normal/fa.c b/src/ipcpd/normal/fa.c index 76942143..fbcbc6fa 100644 --- a/src/ipcpd/normal/fa.c +++ b/src/ipcpd/normal/fa.c @@ -166,8 +166,8 @@ static void * fa_handle_packet(void * o) buf = malloc(sizeof(*msg) + ipcp_dir_hash_len()); if (buf == NULL) { log_err("Failed to allocate memory."); - free(cmd); ipcp_sdb_release(cmd->sdb); + free(cmd); continue; } diff --git a/src/lib/shm_flow_set.c b/src/lib/shm_flow_set.c index f1182a4d..e1e6c30d 100644 --- a/src/lib/shm_flow_set.c +++ b/src/lib/shm_flow_set.c @@ -148,6 +148,8 @@ struct shm_flow_set * shm_flow_set_create(pid_t pid) if (set == NULL) goto fail_set; + set->pid = getpid(); + if (pthread_mutexattr_init(&mattr)) goto fail_mutexattr_init; @@ -180,8 +182,6 @@ struct shm_flow_set * shm_flow_set_create(pid_t pid) for (i = 0; i < SYS_MAX_FLOWS; ++i) set->mtable[i] = -1; - set->pid = getpid(); - return set; fail_init: -- cgit v1.2.3