sideband: Fix use after free bug.

Commit 32ffc06c (Pass command exit status via sideband to client.)
made para_server's command handler send the exit status of the command
to the client as an RC4-encrypted sideband packet.

However, the encryption key has already been freed when this packet
is sent. This may result in client errors about invalid or unexpected
sideband designators, but these errors occurred rather infrequently,
which makes this bug hard to trigger. Presumably the freed memory is
usually not being reused since the command handler is going to dye
anyway after the packet is sent.

This patch fixes the bug by deferring to free the crypto keys until
the exit code has been sent.

diff --git a/command.c b/command.c
index 2cac57f90637f8aa42635700a58b77a688b3ff5d..72f8e04e7fe949c89bba065c857a0e7d9ab0820c 100644 (file)
--- a/command.c
+++ b/command.c
@@ -1107,19 +1107,17 @@ net_err:
 out:
        free(buf);
        free(command);
-       sc_free(cc->scc.recv);
-       sc_free(cc->scc.send);
        mutex_lock(mmd_mutex);
        if (cc->cmd && (cc->cmd->perms & AFS_WRITE) && ret >= 0)
                mmd->events++;
        mmd->active_connections--;
        mutex_unlock(mmd_mutex);
-       if (ret < 0)
-               exit(EXIT_FAILURE);
-       if (!cc->use_sideband)
-               exit(EXIT_SUCCESS);
-       ret = send_sb(&cc->scc, NULL, 0, SBD_EXIT__SUCCESS, true);
-       if (ret < 0)
-               PARA_NOTICE_LOG("%s\n", para_strerror(-ret));
+       if (ret >= 0 && cc->use_sideband) {
+               ret = send_sb(&cc->scc, NULL, 0, SBD_EXIT__SUCCESS, true);
+               if (ret < 0)
+                       PARA_NOTICE_LOG("%s\n", para_strerror(-ret));
+       }
+       sc_free(cc->scc.recv);
+       sc_free(cc->scc.send);
        exit(ret < 0? EXIT_FAILURE : EXIT_SUCCESS);
 }