__svc_vc_dodestroy: fix double free of xp_ltaddr.buflibtirpc-1-2-7-rc2

In svc_fd_create(), upon error, freeing xp_ltaddr.buf and null is returned to the caller as expected. The allocated SVCXPRT is added to svc_pollfd and during destroy __svc_vc_dodestroy(), xp_ltaddr.buf is being freed again causing double free. Fix is to reset the pointer when ever freed first. Reported-by: Sreedharbabu Vykuntam <sreedharbabu.vykuntam@quest.com> Reviewed-by: Ian Kent <raven@themaw.net> Signed-off-by: Srinivasarao Cheruku <srinivascheruku@yahoo.com> Signed-off-by: Steve Dickson <steved@redhat.com>
author: srinivasa rao cheruku <srinivascheruku@yahoo.com> 2020-05-28 12:38:54 -0400
committer: Steve Dickson <steved@redhat.com> 2020-05-28 12:38:54 -0400
commit: c300af4954948019eb58bd2cefdf373cb2994eff (patch)
tree: 2f670f0bf3df832a61e6186d73906b7d2ce590d2 /src
parent: 99f943123d2832cdd0f77c989d82cc8cba26e90b (diff)
download: ti-rpc-c300af4954948019eb58bd2cefdf373cb2994eff.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/src/svc_vc.c b/src/svc_vc.c
index c23cd36..f1d9f00 100644
--- a/src/svc_vc.c
+++ b/src/svc_vc.c
@@ -243,7 +243,7 @@ svc_fd_create(fd, sendsize, recvsize)
 		goto freedata;
 	}
 	if (!__rpc_set_netbuf(&ret->xp_rtaddr, &ss, sizeof(ss))) {
-		warnx("svc_fd_create: no mem for local addr");
+		warnx("svc_fd_create: no mem for remote addr");
 		goto freedata;
 	}
 
@@ -253,9 +253,10 @@ svc_fd_create(fd, sendsize, recvsize)
 	return ret;
 
 freedata:
-	if (ret->xp_ltaddr.buf != NULL)
+	if (ret->xp_ltaddr.buf != NULL) {
 		mem_free(ret->xp_ltaddr.buf, rep->xp_ltaddr.maxlen);
-
+		ret->xp_ltaddr.buf = NULL;
+	}
 	return NULL;
 }
author	srinivasa rao cheruku <srinivascheruku@yahoo.com>	2020-05-28 12:38:54 -0400
committer	Steve Dickson <steved@redhat.com>	2020-05-28 12:38:54 -0400
commit	c300af4954948019eb58bd2cefdf373cb2994eff (patch)
tree	2f670f0bf3df832a61e6186d73906b7d2ce590d2 /src
parent	99f943123d2832cdd0f77c989d82cc8cba26e90b (diff)
download	ti-rpc-c300af4954948019eb58bd2cefdf373cb2994eff.tar.gz