From a274a4f22c83c536744e77e3dc873417912a1928 Mon Sep 17 00:00:00 2001 From: Samuel Thibault Date: Fri, 1 Nov 2013 22:39:19 +0100 Subject: Fix use after free Reported by Justus Winter * libtrivfs/protid-clean.c (trivfs_clean_protid): New variable `cntl` factorizes access to `cred->po->cntl`, and fixes use after free of cred->po. --- libtrivfs/protid-clean.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'libtrivfs') diff --git a/libtrivfs/protid-clean.c b/libtrivfs/protid-clean.c index 856d7af5..a9623a3c 100644 --- a/libtrivfs/protid-clean.c +++ b/libtrivfs/protid-clean.c @@ -23,26 +23,27 @@ void trivfs_clean_protid (void *arg) { struct trivfs_protid *cred = arg; - + struct trivfs_control *cntl = cred->po->cntl; + if (trivfs_protid_destroy_hook && cred->realnode != MACH_PORT_NULL) /* Allow the user to clean up; If the realnode field is null, then CRED wasn't initialized to the point of needing user cleanup. */ (*trivfs_protid_destroy_hook) (cred); /* If we hold the only reference to the peropen, try to get rid of it. */ - pthread_mutex_lock (&cred->po->cntl->lock); + pthread_mutex_lock (&cntl->lock); if (cred->po->refcnt == 1 && trivfs_peropen_destroy_hook) { - pthread_mutex_unlock (&cred->po->cntl->lock); + pthread_mutex_unlock (&cntl->lock); (*trivfs_peropen_destroy_hook) (cred->po); - pthread_mutex_lock (&cred->po->cntl->lock); + pthread_mutex_lock (&cntl->lock); } if (--cred->po->refcnt == 0) { - ports_port_deref (cred->po->cntl); + ports_port_deref (cntl); free (cred->po); } - pthread_mutex_unlock (&cred->po->cntl->lock); + pthread_mutex_unlock (&cntl->lock); iohelp_free_iouser (cred->user); -- cgit v1.2.3