summaryrefslogtreecommitdiff
path: root/src/libsystemd
diff options
context:
space:
mode:
authorDaniel Mack <daniel@zonque.org>2014-10-07 11:32:07 +0200
committerDaniel Mack <daniel@zonque.org>2014-10-07 11:38:31 +0200
commitca794c8e9583eb660f535af32c8c8281a284f270 (patch)
tree82e99eb89e2ee85fc730328ee099da1a53d445e2 /src/libsystemd
parent4e3deeedc15b03197d591850061316289245c9a9 (diff)
sd-bus: fix use-after-free in close_kdbus_msg()
Walk the items first, then free the memory of the message. Also, while at it, make coverity happy with an explicit (void) prefix. We intentionally ignore the return value here.
Diffstat (limited to 'src/libsystemd')
-rw-r--r--src/libsystemd/sd-bus/bus-kernel.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/libsystemd/sd-bus/bus-kernel.c b/src/libsystemd/sd-bus/bus-kernel.c
index 92407133be..b431d78139 100644
--- a/src/libsystemd/sd-bus/bus-kernel.c
+++ b/src/libsystemd/sd-bus/bus-kernel.c
@@ -808,8 +808,6 @@ static void close_kdbus_msg(sd_bus *bus, struct kdbus_msg *k) {
cmd.flags = 0;
cmd.offset = (uint8_t *)k - (uint8_t *)bus->kdbus_buffer;
- ioctl(bus->input_fd, KDBUS_CMD_FREE, &cmd);
-
KDBUS_ITEM_FOREACH(d, k, items) {
if (d->type == KDBUS_ITEM_FDS)
@@ -817,6 +815,8 @@ static void close_kdbus_msg(sd_bus *bus, struct kdbus_msg *k) {
else if (d->type == KDBUS_ITEM_PAYLOAD_MEMFD)
safe_close(d->memfd.fd);
}
+
+ (void) ioctl(bus->input_fd, KDBUS_CMD_FREE, &cmd);
}
int bus_kernel_write_message(sd_bus *bus, sd_bus_message *m, bool hint_sync_call) {