tdb2: fix use after free on error message
authorRusty Russell <rusty@rustcorp.com.au>
Thu, 24 Mar 2011 03:40:22 +0000 (14:10 +1030)
committerRusty Russell <rusty@rustcorp.com.au>
Thu, 24 Mar 2011 03:40:22 +0000 (14:10 +1030)
We use "r" after we call tdb_access_release() when we find corruption
in the free list.  "r" may be a pointer into malloced memory, freed
by tdb_access_release().

ccan/tdb2/free.c

index 7633eb772c7ff925f9cba7779234d1371b4427e0..7ede24616efc78df4e16eda260ace518bbd88755 100644 (file)
@@ -457,12 +457,12 @@ again:
                }
 
                if (frec_magic(r) != TDB_FREE_MAGIC) {
                }
 
                if (frec_magic(r) != TDB_FREE_MAGIC) {
-                       tdb_access_release(tdb, r);
                        ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
                                           "lock_and_alloc:"
                                           " %llu non-free 0x%llx",
                                           (long long)off,
                                           (long long)r->magic_and_prev);
                        ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
                                           "lock_and_alloc:"
                                           " %llu non-free 0x%llx",
                                           (long long)off,
                                           (long long)r->magic_and_prev);
+                       tdb_access_release(tdb, r);
                        goto unlock_err;
                }
 
                        goto unlock_err;
                }