[systemd-devel] [PATCH 1/5] [use after free] Avoid using m->kdbus after freeing it.

Thu Sep 11 08:11:36 PDT 2014

Hi

On Wed, Sep 10, 2014 at 11:20 AM,  <philippedeswert at gmail.com> wrote:
> From: Philippe De Swert <philippedeswert at gmail.com>
>
> m->kdbus could be freed before it is released. Changing the
> order fixes the issue.
>
> Found with Coverity. Fixes: CID#1237798
>
> Signed-off-by: Philippe De Swert <philippedeswert at gmail.com>

Few notes:
- no punctuation characters in commit-heads
- try to prefix commit-heads with the subsystem name, like "bus: foo
bar bar bar"
- no signed-off-by for systemd

I fixed those and applied the patch.

Thanks!
David

> ---
>  src/libsystemd/sd-bus/bus-message.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
> index d00455a..bfb14fc 100644
> --- a/src/libsystemd/sd-bus/bus-message.c
> +++ b/src/libsystemd/sd-bus/bus-message.c
> @@ -127,9 +127,6 @@ static void message_free(sd_bus_message *m) {
>
>          message_reset_parts(m);
>
> -        if (m->free_kdbus)
> -                free(m->kdbus);
> -
>          if (m->release_kdbus) {
>                  uint64_t off;
>
> @@ -137,6 +134,9 @@ static void message_free(sd_bus_message *m) {
>                  ioctl(m->bus->input_fd, KDBUS_CMD_FREE, &off);
>          }
>
> +        if (m->free_kdbus)
> +                free(m->kdbus);
> +
>          sd_bus_unref(m->bus);
>
>          if (m->free_fds) {
> --
> 1.8.3.2
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel