This fixes a use after free in an error condition, and makes sure that
pid is set in the flow_set early on, so flow_set_destroy won't create
a prefix with an uninitialized pid in case of an error in
shm_flow_set_create.
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
src/ipcpd/normal/fa.c | 2 +-
src/lib/shm_flow_set.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/ipcpd/normal/fa.c b/src/ipcpd/normal/fa.c
index 7694214..fbcbc6f 100644
--- a/src/ipcpd/normal/fa.c
+++ b/src/ipcpd/normal/fa.c
@@ -166,8 +166,8 @@ static void * fa_handle_packet(void * o)
buf = malloc(sizeof(*msg) + ipcp_dir_hash_len());
if (buf == NULL) {
log_err("Failed to allocate memory.");
- free(cmd);
ipcp_sdb_release(cmd->sdb);
+ free(cmd);
continue;
}
diff --git a/src/lib/shm_flow_set.c b/src/lib/shm_flow_set.c
index f1182a4..e1e6c30 100644
--- a/src/lib/shm_flow_set.c
+++ b/src/lib/shm_flow_set.c
@@ -148,6 +148,8 @@ struct shm_flow_set * shm_flow_set_create(pid_t pid)
if (set == NULL)
goto fail_set;
+ set->pid = getpid();
+
if (pthread_mutexattr_init(&mattr))
goto fail_mutexattr_init;
@@ -180,8 +182,6 @@ struct shm_flow_set * shm_flow_set_create(pid_t pid)
for (i = 0; i < SYS_MAX_FLOWS; ++i)
set->mtable[i] = -1;
- set->pid = getpid();
-
return set;
fail_init:
--
2.22.0
