projects / ccan / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e1fd1d9)
tdb2: fix use after free on error message
authorRusty Russell <rusty@rustcorp.com.au>
Thu, 24 Mar 2011 03:40:22 +0000 (14:10 +1030)
committerRusty Russell <rusty@rustcorp.com.au>
Thu, 24 Mar 2011 03:40:22 +0000 (14:10 +1030)
We use "r" after we call tdb_access_release() when we find corruption
in the free list.  "r" may be a pointer into malloced memory, freed
by tdb_access_release().

ccan/tdb2/free.c patch | blob | history

diff --git a/ccan/tdb2/free.c b/ccan/tdb2/free.c
index 7633eb772c7ff925f9cba7779234d1371b4427e0..7ede24616efc78df4e16eda260ace518bbd88755 100644 (file)
--- a/ccan/tdb2/free.c
+++ b/ccan/tdb2/free.c
@@ -457,12 +457,12 @@ again:
                }
 
                if (frec_magic(r) != TDB_FREE_MAGIC) {
-                       tdb_access_release(tdb, r);
                        ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
                                           "lock_and_alloc:"
                                           " %llu non-free 0x%llx",
                                           (long long)off,
                                           (long long)r->magic_and_prev);
+                       tdb_access_release(tdb, r);
                        goto unlock_err;
                }
 
The Comprehensive C Archive Network