Fix use after free

Reported by Justus Winter

* libtrivfs/protid-clean.c (trivfs_clean_protid): New variable `cntl` factorizes
access to `cred->po->cntl`, and fixes use after free of cred->po.

1 files changed, 7 insertions, 6 deletions

diff --git a/libtrivfs/protid-clean.c b/libtrivfs/protid-clean.c
index 856d7af5..a9623a3c 100644
--- a/libtrivfs/protid-clean.c
+++ b/libtrivfs/protid-clean.c
@@ -23,26 +23,27 @@ void
 trivfs_clean_protid (void *arg)
 {
   struct trivfs_protid *cred = arg;
-  
+  struct trivfs_control *cntl = cred->po->cntl;
+
   if (trivfs_protid_destroy_hook && cred->realnode != MACH_PORT_NULL)
     /* Allow the user to clean up; If the realnode field is null, then CRED
        wasn't initialized to the point of needing user cleanup.  */
     (*trivfs_protid_destroy_hook) (cred);
 
   /* If we hold the only reference to the peropen, try to get rid of it. */
-  pthread_mutex_lock (&cred->po->cntl->lock);
+  pthread_mutex_lock (&cntl->lock);
   if (cred->po->refcnt == 1 && trivfs_peropen_destroy_hook)
     {
-      pthread_mutex_unlock (&cred->po->cntl->lock);
+      pthread_mutex_unlock (&cntl->lock);
       (*trivfs_peropen_destroy_hook) (cred->po);
-      pthread_mutex_lock (&cred->po->cntl->lock);
+      pthread_mutex_lock (&cntl->lock);
     }
   if (--cred->po->refcnt == 0)
     {
-      ports_port_deref (cred->po->cntl);
+      ports_port_deref (cntl);
       free (cred->po);
     }
-  pthread_mutex_unlock (&cred->po->cntl->lock);
+  pthread_mutex_unlock (&cntl->lock);
 
   iohelp_free_iouser (cred->user);