[systemd-commits] src/libsystemd

Tue Oct 7 02:38:41 PDT 2014

src/libsystemd/sd-bus/bus-kernel.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

New commits:
commit ca794c8e9583eb660f535af32c8c8281a284f270
Author: Daniel Mack <daniel at zonque.org>
Date:   Tue Oct 7 11:32:07 2014 +0200

    sd-bus: fix use-after-free in close_kdbus_msg()
    
    Walk the items first, then free the memory of the message.
    
    Also, while at it, make coverity happy with an explicit (void) prefix.
    We intentionally ignore the return value here.

diff --git a/src/libsystemd/sd-bus/bus-kernel.c b/src/libsystemd/sd-bus/bus-kernel.c
index 9240713..b431d78 100644
--- a/src/libsystemd/sd-bus/bus-kernel.c
+++ b/src/libsystemd/sd-bus/bus-kernel.c
@@ -808,8 +808,6 @@ static void close_kdbus_msg(sd_bus *bus, struct kdbus_msg *k) {
         cmd.flags = 0;
         cmd.offset = (uint8_t *)k - (uint8_t *)bus->kdbus_buffer;
 
-        ioctl(bus->input_fd, KDBUS_CMD_FREE, &cmd);
-
         KDBUS_ITEM_FOREACH(d, k, items) {
 
                 if (d->type == KDBUS_ITEM_FDS)
@@ -817,6 +815,8 @@ static void close_kdbus_msg(sd_bus *bus, struct kdbus_msg *k) {
                 else if (d->type == KDBUS_ITEM_PAYLOAD_MEMFD)
                         safe_close(d->memfd.fd);
         }
+
+        (void) ioctl(bus->input_fd, KDBUS_CMD_FREE, &cmd);
 }
 
 int bus_kernel_write_message(sd_bus *bus, sd_bus_message *m, bool hint_sync_call) {

