diff options
author | srinivasa rao cheruku <srinivascheruku@yahoo.com> | 2020-05-28 12:38:54 -0400 |
---|---|---|
committer | Steve Dickson <steved@redhat.com> | 2020-05-28 12:38:54 -0400 |
commit | c300af4954948019eb58bd2cefdf373cb2994eff (patch) | |
tree | 2f670f0bf3df832a61e6186d73906b7d2ce590d2 /src | |
parent | 99f943123d2832cdd0f77c989d82cc8cba26e90b (diff) | |
download | ti-rpc-c300af4954948019eb58bd2cefdf373cb2994eff.tar.gz |
__svc_vc_dodestroy: fix double free of xp_ltaddr.buflibtirpc-1-2-7-rc2
In svc_fd_create(), upon error, freeing xp_ltaddr.buf and null
is returned to the caller as expected. The allocated SVCXPRT is
added to svc_pollfd and during destroy __svc_vc_dodestroy(),
xp_ltaddr.buf is being freed again causing double free.
Fix is to reset the pointer when ever freed first.
Reported-by: Sreedharbabu Vykuntam <sreedharbabu.vykuntam@quest.com>
Reviewed-by: Ian Kent <raven@themaw.net>
Signed-off-by: Srinivasarao Cheruku <srinivascheruku@yahoo.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/svc_vc.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/svc_vc.c b/src/svc_vc.c index c23cd36..f1d9f00 100644 --- a/src/svc_vc.c +++ b/src/svc_vc.c @@ -243,7 +243,7 @@ svc_fd_create(fd, sendsize, recvsize) goto freedata; } if (!__rpc_set_netbuf(&ret->xp_rtaddr, &ss, sizeof(ss))) { - warnx("svc_fd_create: no mem for local addr"); + warnx("svc_fd_create: no mem for remote addr"); goto freedata; } @@ -253,9 +253,10 @@ svc_fd_create(fd, sendsize, recvsize) return ret; freedata: - if (ret->xp_ltaddr.buf != NULL) + if (ret->xp_ltaddr.buf != NULL) { mem_free(ret->xp_ltaddr.buf, rep->xp_ltaddr.maxlen); - + ret->xp_ltaddr.buf = NULL; + } return NULL; } |