rpcb_clnt.c: Eliminate double frees in delete_cache() (RHEL-11183)
commit 1d2e10afb2ffc35cb3623f57a15f712359f18e75
Author: Herb Wartens <wartens2@llnl.gov>
Date:   Tue Aug 1 10:36:16 2023 -0400
    rpcb_clnt.c: Eliminate double frees in delete_cache()
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2224666
    Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
Resolves: RHEL-11183
			
			
This commit is contained in:
		
							parent
							
								
									b1fbacc836
								
							
						
					
					
						commit
						97a014bbe9
					
				
							
								
								
									
										32
									
								
								libtirpc-1.3.3-double-free.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								libtirpc-1.3.3-double-free.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,32 @@ | ||||
| commit 1d2e10afb2ffc35cb3623f57a15f712359f18e75 | ||||
| Author: Herb Wartens <wartens2@llnl.gov> | ||||
| Date:   Tue Aug 1 10:36:16 2023 -0400 | ||||
| 
 | ||||
|     rpcb_clnt.c: Eliminate double frees in delete_cache() | ||||
|      | ||||
|     Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2224666 | ||||
|     Signed-off-by: Steve Dickson <steved@redhat.com> | ||||
| 
 | ||||
| diff --git a/src/rpcb_clnt.c b/src/rpcb_clnt.c
 | ||||
| index c0a9e12..68fe69a 100644
 | ||||
| --- a/src/rpcb_clnt.c
 | ||||
| +++ b/src/rpcb_clnt.c
 | ||||
| @@ -262,12 +262,15 @@ delete_cache(addr)
 | ||||
|  	for (cptr = front; cptr != NULL; cptr = cptr->ac_next) { | ||||
|  		if (!memcmp(cptr->ac_taddr->buf, addr->buf, addr->len)) { | ||||
|  			/* Unlink from cache. We'll destroy it after releasing the mutex. */ | ||||
| -			if (cptr->ac_uaddr)
 | ||||
| +			if (cptr->ac_uaddr) {
 | ||||
|  				free(cptr->ac_uaddr); | ||||
| -			if (prevptr)
 | ||||
| +				cptr->ac_uaddr = NULL;
 | ||||
| +			}
 | ||||
| +			if (prevptr) {
 | ||||
|  				prevptr->ac_next = cptr->ac_next; | ||||
| -			else
 | ||||
| +			} else {
 | ||||
|  				front = cptr->ac_next; | ||||
| +			}
 | ||||
|  			cachesize--; | ||||
|  			break; | ||||
|  		} | ||||
| @ -2,7 +2,7 @@ | ||||
| 
 | ||||
| Name:			libtirpc | ||||
| Version:		1.3.3 | ||||
| Release:		5%{?dist} | ||||
| Release:		6%{?dist} | ||||
| Summary:		Transport Independent RPC Library | ||||
| License:		SISSL and BSD | ||||
| URL:  			http://git.linux-nfs.org/?p=steved/libtirpc.git;a=summary | ||||
| @ -29,6 +29,7 @@ Patch003: libtirpc-1.3.3-dos-sleep.patch | ||||
| # | ||||
| Patch004: libtirpc-1.3.3-null-ptrs-not-reused.patch | ||||
| Patch005: libtirpc-1.3.3-gssd-context-creation.patch | ||||
| Patch006: libtirpc-1.3.3-double-free.patch | ||||
| 
 | ||||
| %description | ||||
| This package contains SunLib's implementation of transport-independent | ||||
| @ -129,6 +130,9 @@ mv %{buildroot}%{_mandir}/man3 %{buildroot}%{_mandir}/man3t | ||||
| %{_mandir}/*/* | ||||
| 
 | ||||
| %changelog | ||||
| * Tue Mar  5 2024 Steve Dickson <steved@redhat.com> - 1.3.3-6 | ||||
| - rpcb_clnt.c: Eliminate double frees in delete_cache() (RHEL-11183) | ||||
| 
 | ||||
| * Mon Mar  4 2024 Steve Dickson <steved@redhat.com> - 1.3.3-5 | ||||
| - Fix rpc_gss_seccreate() usage of the passed in gss credential. (RHEL-27936) | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user