diff options
author | Christophe Fillot <cf@utc.fr> | 2011-03-12 12:08:19 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2011-03-12 12:08:19 -0500 |
commit | 4b8f02f14751c6c2d53cad3597a711a1a008e07f (patch) | |
tree | f77fcb6c9c3d2af119f385102b69c5e06d4a3dc7 /evrpc.c | |
parent | 5209fadfd07af3f3379ac607582c37933b33e044 (diff) | |
download | libevent-4b8f02f14751c6c2d53cad3597a711a1a008e07f.tar.gz |
Fix incorrect assertions and possible use-after-free in evrpc_free()
Original description:
The following patch fixes incorrect assertions in evrpc_free():
evrpc_unregister_rpc() and evrpc_remove_hook() return 0 for success.
Also, in evrpc_unregister_rpc(), it is better to free RPC structure
at the end: evrpc_free() uses rpc->uri as "name" parameter when
calling evrpc_unregister_rpc(), then rpc->uri is freed, but we have
"registered_uri = evrpc_construct_uri(name)". So at this time "name"
is invalid.
Diffstat (limited to 'evrpc.c')
-rw-r--r-- | evrpc.c | 8 |
1 files changed, 4 insertions, 4 deletions
@@ -98,7 +98,7 @@ evrpc_free(struct evrpc_base *base) while ((rpc = TAILQ_FIRST(&base->registered_rpcs)) != NULL) { r = evrpc_unregister_rpc(base, rpc->uri); - EVUTIL_ASSERT(r); + EVUTIL_ASSERT(r == 0); } while ((pause = TAILQ_FIRST(&base->paused_requests)) != NULL) { TAILQ_REMOVE(&base->paused_requests, pause, next); @@ -263,9 +263,6 @@ evrpc_unregister_rpc(struct evrpc_base *base, const char *name) } TAILQ_REMOVE(&base->registered_rpcs, rpc, next); - mm_free((char *)rpc->uri); - mm_free(rpc); - registered_uri = evrpc_construct_uri(name); /* remove the http server callback */ @@ -273,6 +270,9 @@ evrpc_unregister_rpc(struct evrpc_base *base, const char *name) EVUTIL_ASSERT(r == 0); mm_free(registered_uri); + + mm_free((char *)rpc->uri); + mm_free(rpc); return (0); } |