sd-bus: fix use-after-free in close_kdbus_msg()

Walk the items first, then free the memory of the message.

Also, while at it, make coverity happy with an explicit (void) prefix.
We intentionally ignore the return value here.

1 files changed, 2 insertions, 2 deletions

diff --git a/src/libsystemd/sd-bus/bus-kernel.c b/src/libsystemd/sd-bus/bus-kernel.c
index 92407133be..b431d78139 100644
--- a/src/libsystemd/sd-bus/bus-kernel.c
+++ b/src/libsystemd/sd-bus/bus-kernel.c
@@ -808,8 +808,6 @@ static void close_kdbus_msg(sd_bus *bus, struct kdbus_msg *k) {
         cmd.flags = 0;
         cmd.offset = (uint8_t *)k - (uint8_t *)bus->kdbus_buffer;
 
-        ioctl(bus->input_fd, KDBUS_CMD_FREE, &cmd);
-
         KDBUS_ITEM_FOREACH(d, k, items) {
 
                 if (d->type == KDBUS_ITEM_FDS)
@@ -817,6 +815,8 @@ static void close_kdbus_msg(sd_bus *bus, struct kdbus_msg *k) {
                 else if (d->type == KDBUS_ITEM_PAYLOAD_MEMFD)
                         safe_close(d->memfd.fd);
         }
+
+        (void) ioctl(bus->input_fd, KDBUS_CMD_FREE, &cmd);
 }
 
 int bus_kernel_write_message(sd_bus *bus, sd_bus_message *m, bool hint_sync_call) {