multipathd: uxlsnr: fix memory leak handling invalid commands

If a client sends invalid commands with at least one correct keyword, (e.g "show bogus"), get_cmdvec() returns 0 and c->cmdvec is allocated but never freed. Fix it by freeing the cmdvec when setting the state to CLT_SEND. Signed-off-by: Martin Wilck <mwilck@suse.com> Suggested-by: Qualys Security Advisory <qsa@qualys.com> Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>
opensvc · Sep 27, 2022 · 994811a · 994811a
1 parent cb57b93
commit 994811a
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/multipathd/uxlsnr.c b/multipathd/uxlsnr.c
@@ -412,6 +412,11 @@ static void set_client_state(struct client *c, int state)
 		c->expires = ts_zero;
 		/* reuse these fields for next data transfer */
 		c->len = c->cmd_len = 0;
+		/* cmdvec isn't needed any more */
+		if (c->cmdvec) {
+			free_keys(c->cmdvec);
+			c->cmdvec = NULL;
+		}
 		break;
 	default:
 		break;
@@ -506,8 +511,6 @@ static int client_state_machine(struct client *c, struct vectors *vecs,
 			check_for_locked_work(c);
 			pthread_cleanup_pop(1);
 			condlog(4, "%s: cli[%d] grabbed lock", __func__, c->fd);
-			free_keys(c->cmdvec);
-			c->cmdvec = NULL;
 			set_client_state(c, CLT_SEND);
 			/* Wait for POLLOUT */
 			return STM_BREAK;
@@ -518,8 +521,6 @@ static int client_state_machine(struct client *c, struct vectors *vecs,
 
 	case CLT_WORK:
 		c->error = execute_handler(c, vecs);
-		free_keys(c->cmdvec);
-		c->cmdvec = NULL;
 		set_client_state(c, CLT_SEND);
 		/* Wait for POLLOUT */
 		return STM_BREAK;