You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
int Client_send_message_except(client_t *client, message_t *msg)
{
client_t *itr = NULL;
int count = 0;
Msg_inc_ref(msg); /* Make sure a reference is held during the whole iteration. */
while (Client_iterate_authenticated(&itr)) {
if (itr != client) {
if (count++ > 0)
Msg_inc_ref(msg); /* One extra reference for each new copy */
Log_debug("Msg %d to %s refcount %d", msg->messageType, itr->username, msg->refcount);
Client_send_message(itr, msg);
}
}
Msg_free(msg); /* Free our reference to the message */
if (count == 0)
Msg_free(msg); /* If only 1 client is connected then no message is passed
* to Client_send_message(). Free it here. */
return 0;
}
In this function, if the msg->refcount is zero and the loop while (Client_iterate_authenticated(&itr)) executed zero times, the execute trace would be:
client_t *itr = NULL;
int count = 0;
Msg_inc_ref(msg);
Msg_free(msg); /* Free our reference to the message */
if (count == 0)
Msg_free(msg);
This might lead to a UAF bug as msg was freed and revisited in the second Msg_free(msg);
The text was updated successfully, but these errors were encountered:
File: client.c
Bug Function: Client_send_message_except
Version: Git-master
In this function, if the
msg->refcount
is zero and the loopwhile (Client_iterate_authenticated(&itr))
executed zero times, the execute trace would be:This might lead to a UAF bug as msg was freed and revisited in the second
Msg_free(msg);
The text was updated successfully, but these errors were encountered: