[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[hurd] 24/26: Fix use after free
From: |
Samuel Thibault |
Subject: |
[hurd] 24/26: Fix use after free |
Date: |
Sat, 02 Nov 2013 14:44:47 +0000 |
This is an automated email from the git hooks/post-receive script.
sthibault pushed a commit to branch upstream
in repository hurd.
commit a274a4f22c83c536744e77e3dc873417912a1928
Author: Samuel Thibault <address@hidden>
Date: Fri Nov 1 22:39:19 2013 +0100
Fix use after free
Reported by Justus Winter
* libtrivfs/protid-clean.c (trivfs_clean_protid): New variable `cntl`
factorizes
access to `cred->po->cntl`, and fixes use after free of cred->po.
---
libtrivfs/protid-clean.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/libtrivfs/protid-clean.c b/libtrivfs/protid-clean.c
index 856d7af..a9623a3 100644
--- a/libtrivfs/protid-clean.c
+++ b/libtrivfs/protid-clean.c
@@ -23,26 +23,27 @@ void
trivfs_clean_protid (void *arg)
{
struct trivfs_protid *cred = arg;
-
+ struct trivfs_control *cntl = cred->po->cntl;
+
if (trivfs_protid_destroy_hook && cred->realnode != MACH_PORT_NULL)
/* Allow the user to clean up; If the realnode field is null, then CRED
wasn't initialized to the point of needing user cleanup. */
(*trivfs_protid_destroy_hook) (cred);
/* If we hold the only reference to the peropen, try to get rid of it. */
- pthread_mutex_lock (&cred->po->cntl->lock);
+ pthread_mutex_lock (&cntl->lock);
if (cred->po->refcnt == 1 && trivfs_peropen_destroy_hook)
{
- pthread_mutex_unlock (&cred->po->cntl->lock);
+ pthread_mutex_unlock (&cntl->lock);
(*trivfs_peropen_destroy_hook) (cred->po);
- pthread_mutex_lock (&cred->po->cntl->lock);
+ pthread_mutex_lock (&cntl->lock);
}
if (--cred->po->refcnt == 0)
{
- ports_port_deref (cred->po->cntl);
+ ports_port_deref (cntl);
free (cred->po);
}
- pthread_mutex_unlock (&cred->po->cntl->lock);
+ pthread_mutex_unlock (&cntl->lock);
iohelp_free_iouser (cred->user);
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-hurd/hurd.git
- [hurd] branch upstream updated (223b7da -> 90b039d), Samuel Thibault, 2013/11/02
- [hurd] 01/26: Check for negative sizes in file_set_size, Samuel Thibault, 2013/11/02
- [hurd] 03/26: Fix memory leak in exec, Samuel Thibault, 2013/11/02
- [hurd] 02/26: Fix memory leak in libnetfs, Samuel Thibault, 2013/11/02
- [hurd] 10/26: console-client: minor stylistic fix, Samuel Thibault, 2013/11/02
- [hurd] 04/26: Revert "tmpfs: drop privileges in the tmpfs translator", Samuel Thibault, 2013/11/02
- [hurd] 26/26: Merge remote-tracking branch 'upstream/master' into upstream, Samuel Thibault, 2013/11/02
- [hurd] 09/26: console-client: fix error handling, Samuel Thibault, 2013/11/02
- [hurd] 11/26: console-client: replace function epilogue with console_exit, Samuel Thibault, 2013/11/02
- [hurd] 24/26: Fix use after free,
Samuel Thibault <=
- [hurd] 12/26: term: fix read on a closed PTY, Samuel Thibault, 2013/11/02
- [hurd] 23/26: libshouldbeinlibc: fix error handling in maptime_map, Samuel Thibault, 2013/11/02
- [hurd] 05/26: trans: rename a global variable, Samuel Thibault, 2013/11/02
- [hurd] 07/26: console-client: remove the pid file on clean exits, Samuel Thibault, 2013/11/02
- [hurd] 08/26: console-client: entitle console_exit with the noreturn attribute, Samuel Thibault, 2013/11/02
- [hurd] 06/26: libfshelp: properly free active translator entries, Samuel Thibault, 2013/11/02
- [hurd] 21/26: configure.ac: properly escape the test for X11/keysymdef.h, Samuel Thibault, 2013/11/02
- [hurd] 25/26: libports: fix error handling in _ports_create_port_internal, Samuel Thibault, 2013/11/02
- [hurd] 14/26: libdiskfs: fix removal of socket nodes, Samuel Thibault, 2013/11/02
- [hurd] 22/26: exec: Remove the remaining BFD related bits, Samuel Thibault, 2013/11/02