From 454228f5f7b65b398c8cbaef094cf71f5dbac434 Mon Sep 17 00:00:00 2001 From: Andre Noll Date: Fri, 29 Jun 2012 16:28:11 +0200 Subject: [PATCH 1/1] sideband: Fix use after free bug. Commit 32ffc06c (Pass command exit status via sideband to client.) made para_server's command handler send the exit status of the command to the client as an RC4-encrypted sideband packet. However, the encryption key has already been freed when this packet is sent. This may result in client errors about invalid or unexpected sideband designators, but these errors occurred rather infrequently, which makes this bug hard to trigger. Presumably the freed memory is usually not being reused since the command handler is going to dye anyway after the packet is sent. This patch fixes the bug by deferring to free the crypto keys until the exit code has been sent. --- command.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/command.c b/command.c index 2cac57f9..72f8e04e 100644 --- a/command.c +++ b/command.c @@ -1107,19 +1107,17 @@ net_err: out: free(buf); free(command); - sc_free(cc->scc.recv); - sc_free(cc->scc.send); mutex_lock(mmd_mutex); if (cc->cmd && (cc->cmd->perms & AFS_WRITE) && ret >= 0) mmd->events++; mmd->active_connections--; mutex_unlock(mmd_mutex); - if (ret < 0) - exit(EXIT_FAILURE); - if (!cc->use_sideband) - exit(EXIT_SUCCESS); - ret = send_sb(&cc->scc, NULL, 0, SBD_EXIT__SUCCESS, true); - if (ret < 0) - PARA_NOTICE_LOG("%s\n", para_strerror(-ret)); + if (ret >= 0 && cc->use_sideband) { + ret = send_sb(&cc->scc, NULL, 0, SBD_EXIT__SUCCESS, true); + if (ret < 0) + PARA_NOTICE_LOG("%s\n", para_strerror(-ret)); + } + sc_free(cc->scc.recv); + sc_free(cc->scc.send); exit(ret < 0? EXIT_FAILURE : EXIT_SUCCESS); } -- 2.39.2