diff options
author | Daniel Mack <daniel@zonque.org> | 2014-10-07 11:32:07 +0200 |
---|---|---|
committer | Daniel Mack <daniel@zonque.org> | 2014-10-07 11:38:31 +0200 |
commit | ca794c8e9583eb660f535af32c8c8281a284f270 (patch) | |
tree | 82e99eb89e2ee85fc730328ee099da1a53d445e2 /src/libsystemd | |
parent | 4e3deeedc15b03197d591850061316289245c9a9 (diff) |
sd-bus: fix use-after-free in close_kdbus_msg()
Walk the items first, then free the memory of the message.
Also, while at it, make coverity happy with an explicit (void) prefix.
We intentionally ignore the return value here.
Diffstat (limited to 'src/libsystemd')
-rw-r--r-- | src/libsystemd/sd-bus/bus-kernel.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/libsystemd/sd-bus/bus-kernel.c b/src/libsystemd/sd-bus/bus-kernel.c index 92407133be..b431d78139 100644 --- a/src/libsystemd/sd-bus/bus-kernel.c +++ b/src/libsystemd/sd-bus/bus-kernel.c @@ -808,8 +808,6 @@ static void close_kdbus_msg(sd_bus *bus, struct kdbus_msg *k) { cmd.flags = 0; cmd.offset = (uint8_t *)k - (uint8_t *)bus->kdbus_buffer; - ioctl(bus->input_fd, KDBUS_CMD_FREE, &cmd); - KDBUS_ITEM_FOREACH(d, k, items) { if (d->type == KDBUS_ITEM_FDS) @@ -817,6 +815,8 @@ static void close_kdbus_msg(sd_bus *bus, struct kdbus_msg *k) { else if (d->type == KDBUS_ITEM_PAYLOAD_MEMFD) safe_close(d->memfd.fd); } + + (void) ioctl(bus->input_fd, KDBUS_CMD_FREE, &cmd); } int bus_kernel_write_message(sd_bus *bus, sd_bus_message *m, bool hint_sync_call) { |