From: Florian Forster Date: Wed, 17 Jun 2015 15:28:39 +0000 (+0200) Subject: src/utils_db_query.c: Fix use-after-free. X-Git-Tag: collectd-5.5.1~105^2 X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=efda0ff7c7035dbbe72014369d1ad8c9624e8616;p=collectd.git src/utils_db_query.c: Fix use-after-free. "r_area->next" was evaluated after "r_area" was freed. --- diff --git a/src/utils_db_query.c b/src/utils_db_query.c index aadf9c5e..ab4299b3 100644 --- a/src/utils_db_query.c +++ b/src/utils_db_query.c @@ -976,10 +976,9 @@ udb_query_allocate_preparation_area (udb_query_t *q) /* {{{ */ udb_result_preparation_area_t **next_r_area; udb_result_t *r; - q_area = (udb_query_preparation_area_t *)malloc (sizeof (*q_area)); + q_area = malloc (sizeof (*q_area)); if (q_area == NULL) return NULL; - memset (q_area, 0, sizeof (*q_area)); next_r_area = &q_area->result_prep_areas; @@ -987,14 +986,18 @@ udb_query_allocate_preparation_area (udb_query_t *q) /* {{{ */ { udb_result_preparation_area_t *r_area; - r_area = (udb_result_preparation_area_t *)malloc (sizeof (*r_area)); + r_area = malloc (sizeof (*r_area)); if (r_area == NULL) { - for (r_area = q_area->result_prep_areas; - r_area != NULL; r_area = r_area->next) + udb_result_preparation_area_t *a = q_area->result_prep_areas; + + while (a != NULL) { - free (r_area); + udb_result_preparation_area_t *next = a->next; + sfree (a); + a = next; } + free (q_area); return NULL; }