rpcb_clnt.c: Eliminate double frees in delete_cache() (RHEL-11293)

commit 1d2e10afb2ffc35cb3623f57a15f712359f18e75
Author: Herb Wartens <wartens2@llnl.gov>
Date:   Tue Aug 1 10:36:16 2023 -0400

    rpcb_clnt.c: Eliminate double frees in delete_cache()

    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2224666
    Signed-off-by: Steve Dickson <steved@redhat.com>

Signed-off-by: Steve Dickson <steved@redhat.com>
Resolves: RHEL-11293
This commit is contained in:
Steve Dickson 2024-03-05 04:04:30 -05:00
parent 3ed75a05d5
commit 47fe9a88d6
2 changed files with 37 additions and 1 deletions

View File

@ -0,0 +1,32 @@
commit 1d2e10afb2ffc35cb3623f57a15f712359f18e75
Author: Herb Wartens <wartens2@llnl.gov>
Date: Tue Aug 1 10:36:16 2023 -0400
rpcb_clnt.c: Eliminate double frees in delete_cache()
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2224666
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/src/rpcb_clnt.c b/src/rpcb_clnt.c
index c0a9e12..68fe69a 100644
--- a/src/rpcb_clnt.c
+++ b/src/rpcb_clnt.c
@@ -262,12 +262,15 @@ delete_cache(addr)
for (cptr = front; cptr != NULL; cptr = cptr->ac_next) {
if (!memcmp(cptr->ac_taddr->buf, addr->buf, addr->len)) {
/* Unlink from cache. We'll destroy it after releasing the mutex. */
- if (cptr->ac_uaddr)
+ if (cptr->ac_uaddr) {
free(cptr->ac_uaddr);
- if (prevptr)
+ cptr->ac_uaddr = NULL;
+ }
+ if (prevptr) {
prevptr->ac_next = cptr->ac_next;
- else
+ } else {
front = cptr->ac_next;
+ }
cachesize--;
break;
}

View File

@ -2,7 +2,7 @@
Name: libtirpc
Version: 1.1.4
Release: 9%{?dist}
Release: 10%{?dist}
Summary: Transport Independent RPC Library
Group: System Environment/Libraries
License: SISSL and BSD
@ -51,6 +51,7 @@ Patch009: libtirpc-1.1.4-multithr-cleanup.patch
# RHEL 8.10
#
Patch010: libtirpc-1.1.4-null-ptrs-not-reused.patch
Patch011: libtirpc-1.1.4-double-free.patch
BuildRequires: automake, autoconf, libtool, pkgconfig
BuildRequires: krb5-devel
@ -171,6 +172,9 @@ mv %{buildroot}%{_mandir}/man3 %{buildroot}%{_mandir}/man3t
%{_mandir}/*/*
%changelog
* Tue Mar 5 2024 Steve Dickson <steved@redhat.com> 1.1.4-10
- rpcb_clnt.c: Eliminate double frees in delete_cache() (RHEL-11293)
* Mon Mar 4 2024 Steve Dickson <steved@redhat.com> 1.1.4-9
- Null pointers so they are not used again (RHEL-11370)