From: Rusty Russell <rusty@rustcorp.com.au>
Date: Thu, 24 Mar 2011 03:40:22 +0000 (+1030)
Subject: tdb2: fix use after free on error message
X-Git-Url: http://git.ozlabs.org/?p=ccan;a=commitdiff_plain;h=40bab4d5df030f84a63d9c6cb1348d8f27442a0a

tdb2: fix use after free on error message

We use "r" after we call tdb_access_release() when we find corruption
in the free list.  "r" may be a pointer into malloced memory, freed
by tdb_access_release().
---

diff --git a/ccan/tdb2/free.c b/ccan/tdb2/free.c
index 7633eb77..7ede2461 100644
--- a/ccan/tdb2/free.c
+++ b/ccan/tdb2/free.c
@@ -457,12 +457,12 @@ again:
 		}
 
 		if (frec_magic(r) != TDB_FREE_MAGIC) {
-			tdb_access_release(tdb, r);
 			ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
 					   "lock_and_alloc:"
 					   " %llu non-free 0x%llx",
 					   (long long)off,
 					   (long long)r->magic_and_prev);
+			tdb_access_release(tdb, r);
 			goto unlock_err;
 		}