diff options
| author | Florian Dold <florian.dold@gmail.com> | 2013-12-09 20:27:32 +0000 |
|---|---|---|
| committer | Florian Dold <florian.dold@gmail.com> | 2013-12-09 20:27:32 +0000 |
| commit | e9a2778efa6e4ee9940cdb56face621dc319787f (patch) | |
| tree | ac1cf075942d17286318b2fc7fbdc9a55297bb76 /src/set/gnunet-service-set_union.c | |
| parent | c712a1f8b2df7406ac6d7a3346e2b066a23b37ef (diff) | |
| download | gnunet-e9a2778efa6e4ee9940cdb56face621dc319787f.tar.gz gnunet-e9a2778efa6e4ee9940cdb56face621dc319787f.zip | |
- fix use after free in set union (#3178)
Diffstat (limited to 'src/set/gnunet-service-set_union.c')
| -rw-r--r-- | src/set/gnunet-service-set_union.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/set/gnunet-service-set_union.c b/src/set/gnunet-service-set_union.c index be50ec8d6..6bb28471a 100644 --- a/src/set/gnunet-service-set_union.c +++ b/src/set/gnunet-service-set_union.c | |||
| @@ -982,12 +982,15 @@ send_done_and_destroy (void *cls) | |||
| 982 | struct Operation *op = cls; | 982 | struct Operation *op = cls; |
| 983 | struct GNUNET_MQ_Envelope *ev; | 983 | struct GNUNET_MQ_Envelope *ev; |
| 984 | struct GNUNET_SET_ResultMessage *rm; | 984 | struct GNUNET_SET_ResultMessage *rm; |
| 985 | int keep = op->keep; | ||
| 985 | ev = GNUNET_MQ_msg (rm, GNUNET_MESSAGE_TYPE_SET_RESULT); | 986 | ev = GNUNET_MQ_msg (rm, GNUNET_MESSAGE_TYPE_SET_RESULT); |
| 986 | rm->request_id = htonl (op->spec->client_request_id); | 987 | rm->request_id = htonl (op->spec->client_request_id); |
| 987 | rm->result_status = htons (GNUNET_SET_STATUS_DONE); | 988 | rm->result_status = htons (GNUNET_SET_STATUS_DONE); |
| 988 | rm->element_type = htons (0); | 989 | rm->element_type = htons (0); |
| 989 | GNUNET_MQ_send (op->spec->set->client_mq, ev); | 990 | GNUNET_MQ_send (op->spec->set->client_mq, ev); |
| 990 | _GSS_operation_destroy (op); | 991 | _GSS_operation_destroy (op); |
| 992 | if (GNUNET_YES == keep) | ||
| 993 | GNUNET_free (op); | ||
| 991 | } | 994 | } |
| 992 | 995 | ||
| 993 | 996 | ||
| @@ -1060,6 +1063,8 @@ finish_and_destroy (struct Operation *op) | |||
| 1060 | 1063 | ||
| 1061 | if (GNUNET_SET_RESULT_FULL == op->spec->result_mode) | 1064 | if (GNUNET_SET_RESULT_FULL == op->spec->result_mode) |
| 1062 | { | 1065 | { |
| 1066 | /* prevent that the op is free'd by the tunnel end handler */ | ||
| 1067 | op->keep = GNUNET_YES; | ||
| 1063 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "sending full result set\n"); | 1068 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "sending full result set\n"); |
| 1064 | GNUNET_assert (NULL == op->state->full_result_iter); | 1069 | GNUNET_assert (NULL == op->state->full_result_iter); |
| 1065 | op->state->full_result_iter = | 1070 | op->state->full_result_iter = |