diff options
| author | Christian Grothoff <christian@grothoff.org> | 2013-12-08 20:40:27 +0000 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2013-12-08 20:40:27 +0000 |
| commit | e087b1c493b639f9b2e4b24e8c48cb78a49b8531 (patch) | |
| tree | 8a94af6b5d249a3ca623786be891230d0f27ac3a /src/set | |
| parent | 026db9217d89c7cc7069d663ec4ec1860c15fc39 (diff) | |
| download | gnunet-e087b1c493b639f9b2e4b24e8c48cb78a49b8531.tar.gz gnunet-e087b1c493b639f9b2e4b24e8c48cb78a49b8531.zip | |
fix use-after-free: the call to mesh_channel_destroy will ultimately free 'op', so we must not update 'op' after the call; however, it is a good idea to clean up the 'channel' field just before the call (#3164)
Diffstat (limited to 'src/set')
| -rw-r--r-- | src/set/gnunet-service-set.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/set/gnunet-service-set.c b/src/set/gnunet-service-set.c index 27c8d3bc0..13bb38292 100644 --- a/src/set/gnunet-service-set.c +++ b/src/set/gnunet-service-set.c | |||
| @@ -284,6 +284,7 @@ void | |||
| 284 | _GSS_operation_destroy (struct Operation *op) | 284 | _GSS_operation_destroy (struct Operation *op) |
| 285 | { | 285 | { |
| 286 | struct Set *set; | 286 | struct Set *set; |
| 287 | struct GNUNET_MESH_Channel *channel; | ||
| 287 | 288 | ||
| 288 | if (NULL == op->vt) | 289 | if (NULL == op->vt) |
| 289 | return; | 290 | return; |
| @@ -316,10 +317,10 @@ _GSS_operation_destroy (struct Operation *op) | |||
| 316 | op->mq = NULL; | 317 | op->mq = NULL; |
| 317 | } | 318 | } |
| 318 | 319 | ||
| 319 | if (NULL != op->channel) | 320 | if (NULL != (channel = op->channel)) |
| 320 | { | 321 | { |
| 321 | GNUNET_MESH_channel_destroy (op->channel); | ||
| 322 | op->channel = NULL; | 322 | op->channel = NULL; |
| 323 | GNUNET_MESH_channel_destroy (channel); | ||
| 323 | } | 324 | } |
| 324 | 325 | ||
| 325 | collect_generation_garbage (set); | 326 | collect_generation_garbage (set); |