| Message ID | 20220113193605.3361579-1-sorenson@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | libtirpc: Fix use-after-free accessing the error number | expand |
On 1/13/22 14:36, Frank Sorenson wrote: > Free the cbuf after obtaining the error number. > > Signed-off-by: Frank Sorenson <sorenson@redhat.com> Committed (tag: libtirpc-1-3-3-rc2) steved. > --- > src/clnt_dg.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/clnt_dg.c b/src/clnt_dg.c > index e1255de..b3d82e7 100644 > --- a/src/clnt_dg.c > +++ b/src/clnt_dg.c > @@ -456,9 +456,9 @@ get_reply: > cmsg = CMSG_NXTHDR (&msg, cmsg)) > if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) > { > - mem_free(cbuf, (outlen + 256)); > e = (struct sock_extended_err *) CMSG_DATA(cmsg); > cu->cu_error.re_errno = e->ee_errno; > + mem_free(cbuf, (outlen + 256)); > release_fd_lock(cu->cu_fd_lock, mask); > return (cu->cu_error.re_status = RPC_CANTRECV); > }
diff --git a/src/clnt_dg.c b/src/clnt_dg.c index e1255de..b3d82e7 100644 --- a/src/clnt_dg.c +++ b/src/clnt_dg.c @@ -456,9 +456,9 @@ get_reply: cmsg = CMSG_NXTHDR (&msg, cmsg)) if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) { - mem_free(cbuf, (outlen + 256)); e = (struct sock_extended_err *) CMSG_DATA(cmsg); cu->cu_error.re_errno = e->ee_errno; + mem_free(cbuf, (outlen + 256)); release_fd_lock(cu->cu_fd_lock, mask); return (cu->cu_error.re_status = RPC_CANTRECV); }
Free the cbuf after obtaining the error number. Signed-off-by: Frank Sorenson <sorenson@redhat.com> --- src/clnt_dg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)