Skip to content

Commit

Permalink
VC - RELEASE after DESTROY
Browse files Browse the repository at this point in the history 
Many error paths call DESTROY, which will unlink and drop the ref.  This
means that the final RELEASE will free, causing the DESTROY to
use-after-free.  Instead, make sure we DESTROY first.

Signed-off-by: Daniel Gryniewicz <dang@redhat.com>
  • Loading branch information
@dang
dang committed Apr 6, 2020
1 parent 344a636 commit 2d13724
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions src/clnt_vc.c
View file
Expand Up @@ -459,12 +459,14 @@ clnt_vc_destroy(CLIENT *clnt)
struct cx_data *cx = CX_DATA(clnt);

if (cx->cx_rec) {
SVC_RELEASE(&cx->cx_rec->xprt, SVC_RELEASE_FLAG_NONE);

if (clnt->cl_flags & CLNT_FLAG_LOCAL) {
/* Local client; destroy the xprt */
SVC_DESTROY(&cx->cx_rec->xprt);
}

/* RELEASE after DESTROY in case an error case has already
* called DESTROY */
SVC_RELEASE(&cx->cx_rec->xprt, SVC_RELEASE_FLAG_NONE);
}
clnt_vc_data_free(CT_DATA(cx));
}
Expand Down

0 comments on commit 2d13724

Please sign in to comment.