[systemd-devel] [PATCH 10/12] policy: kdbus_policy_set() fix a use after free bug
If we try to register the same name twice then kdbus_policy_add_one()
will fail with -EEXIST
In kdbus_policy_set() we have two calls to kdbus_policy_add_one() if
they fail we clean things up with kdbus_policy_entry_free(), but since
we failed ret == -EEXIST ,we hit the error path where we have another:
if (e)
kdbus_policy_entry_free(e);
We have a use after free bug here, Since 'e' is freed but never set to
NULL.
To fix this we can set that 'e' to NULL after each
kdbus_policy_entry_free() call, but it is better to just clean things up
in a one place, in the error path and remove the other
kdbus_policy_entry_free() calls.
Thix fixes the bug triggered by test-kdbus-policy when we try to
register the same name twice.
Signed-off-by: Djalal Harouni tix...@opendz.org
---
policy.c | 9 ++---
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/policy.c b/policy.c
index 601d2a8..d75c2ef 100644
--- a/policy.c
+++ b/policy.c
@@ -512,10 +512,8 @@ int kdbus_policy_set(struct kdbus_policy_db *db,
if (e) {
ret = kdbus_policy_add_one(db, e);
- if (ret 0) {
- kdbus_policy_entry_free(e);
+ if (ret 0)
goto exit;
- }
}
if (max_policies ++count max_policies) {
@@ -584,11 +582,8 @@ int kdbus_policy_set(struct kdbus_policy_db *db,
goto exit;
}
- if (e) {
+ if (e)
ret = kdbus_policy_add_one(db, e);
- if (ret 0)
- kdbus_policy_entry_free(e);
- }
exit:
if (ret 0) {
--
1.9.0
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 10/12] policy: kdbus_policy_set() fix a use after free bug
On 06/20/2014 06:50 PM, Djalal Harouni wrote:
If we try to register the same name twice then kdbus_policy_add_one()
will fail with -EEXIST
In kdbus_policy_set() we have two calls to kdbus_policy_add_one() if
they fail we clean things up with kdbus_policy_entry_free(), but since
we failed ret == -EEXIST ,we hit the error path where we have another:
if (e)
kdbus_policy_entry_free(e);
We have a use after free bug here, Since 'e' is freed but never set to
NULL.
Applied, thanks.
Daniel
To fix this we can set that 'e' to NULL after each
kdbus_policy_entry_free() call, but it is better to just clean things up
in a one place, in the error path and remove the other
kdbus_policy_entry_free() calls.
Thix fixes the bug triggered by test-kdbus-policy when we try to
register the same name twice.
Signed-off-by: Djalal Harouni tix...@opendz.org
---
policy.c | 9 ++---
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/policy.c b/policy.c
index 601d2a8..d75c2ef 100644
--- a/policy.c
+++ b/policy.c
@@ -512,10 +512,8 @@ int kdbus_policy_set(struct kdbus_policy_db *db,
if (e) {
ret = kdbus_policy_add_one(db, e);
- if (ret 0) {
- kdbus_policy_entry_free(e);
+ if (ret 0)
goto exit;
- }
}
if (max_policies ++count max_policies) {
@@ -584,11 +582,8 @@ int kdbus_policy_set(struct kdbus_policy_db *db,
goto exit;
}
- if (e) {
+ if (e)
ret = kdbus_policy_add_one(db, e);
- if (ret 0)
- kdbus_policy_entry_free(e);
- }
exit:
if (ret 0) {
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
