From 1205b167f300adacdcf7d5dd385299d2b05ace32 Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Wed, 17 Jun 2015 10:37:31 +0200 Subject: [PATCH] email plugin: Fix freeing linked lists. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The previous code essentially did: for (…; …; ptr = ptr->next) free (ptr); The "ptr->next" is a use-after-free. --- src/email.c | 56 ++++++++++++++++++++++++----------------------------- 1 file changed, 25 insertions(+), 31 deletions(-) diff --git a/src/email.c b/src/email.c index 8f633cd1..4aac3e31 100644 --- a/src/email.c +++ b/src/email.c @@ -570,10 +570,27 @@ static int email_init (void) return (0); } /* int email_init */ -static int email_shutdown (void) +static void type_list_free (type_list_t *t) { - type_t *ptr = NULL; + type_t *this; + + this = t->head; + while (this != NULL) + { + type_t *next = this->next; + + sfree (this->name); + sfree (this); + + this = next; + } + t->head = NULL; + t->tail = NULL; +} + +static int email_shutdown (void) +{ int i = 0; if (connector != ((pthread_t) 0)) { @@ -613,35 +630,12 @@ static int email_shutdown (void) pthread_mutex_unlock (&conns_mutex); - for (ptr = list_count.head; NULL != ptr; ptr = ptr->next) { - free (ptr->name); - free (ptr); - } - - for (ptr = list_count_copy.head; NULL != ptr; ptr = ptr->next) { - free (ptr->name); - free (ptr); - } - - for (ptr = list_size.head; NULL != ptr; ptr = ptr->next) { - free (ptr->name); - free (ptr); - } - - for (ptr = list_size_copy.head; NULL != ptr; ptr = ptr->next) { - free (ptr->name); - free (ptr); - } - - for (ptr = list_check.head; NULL != ptr; ptr = ptr->next) { - free (ptr->name); - free (ptr); - } - - for (ptr = list_check_copy.head; NULL != ptr; ptr = ptr->next) { - free (ptr->name); - free (ptr); - } + type_list_free (&list_count); + type_list_free (&list_count_copy); + type_list_free (&list_size); + type_list_free (&list_size_copy); + type_list_free (&list_check); + type_list_free (&list_check_copy); unlink ((NULL == sock_file) ? SOCK_PATH : sock_file); -- 2.30.2