Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Use a single free-and-exit strategy in config_process_include.

This avoids a double-free when a pointer already freed with
tor_free(config_line) is freed again in the cleanup-and-exit code.

Fixes bug 23155.
Nick Mathewson 6 years ago
parent
a47b8fcf92
commit
72832086e2
2 changed files with 13 additions and 7 deletions
Split View Show Diff Stats
  1. 4 0
      changes/bug23155
  2. 9 7
      src/common/confline.c

+ 4 - 0
changes/bug23155
View File 

@@ -0,0 +1,4 @@
 
+  o Minor bugfixes (stability):
 
+    - Avoid crashing on double-free when unable to load or process
 
+      an included file. Fixes bug 23155; bugfix on 0.3.1.1-alpha.
 
+      Found with the clang static analyzer.

+ 9 - 7
src/common/confline.c
View File 

@@ -294,24 +294,26 @@ config_process_include(const char *path, int recursion_level, int extended,
 
     return -1;
 
   }
 
 
-  SMARTLIST_FOREACH_BEGIN(config_files, char *, config_file) {
 
+  int rv = -1;
 
+  SMARTLIST_FOREACH_BEGIN(config_files, const char *, config_file) {
 
     config_line_t *included_list = NULL;
 
     if (config_get_included_list(config_file, recursion_level, extended,
 
                                   &included_list, list_last) < 0) {
 
-      SMARTLIST_FOREACH(config_files, char *, f, tor_free(f));
 
-      smartlist_free(config_files);
 
-      return -1;
 
+      goto done;
 
     }
 
-    tor_free(config_file);
 
 
     *next = included_list;
 
     if (*list_last)
 
       next = &(*list_last)->next;
 
 
   } SMARTLIST_FOREACH_END(config_file);
 
-  smartlist_free(config_files);
 
   *list = ret_list;
 
-  return 0;
 
+  rv = 0;
 
+
 
+ done:
 
+  SMARTLIST_FOREACH(config_files, char *, f, tor_free(f));
 
+  smartlist_free(config_files);
 
+  return rv;
 
 }
 
 
 /**