Skip to content

Commit

Permalink
upnp.c: Fix heap-use-after-free
Browse files Browse the repository at this point in the history 
If upnp_init() fails, state->impl has already been freed.
  • Loading branch information
@past-due
past-due committed Jun 15, 2024
1 parent c111e0a commit 2f81d47
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions src/upnp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,18 +60,21 @@ int upnp_init(protocol_state_t *state) {
closesocket(impl->sock);

free(state->impl);
state->impl = NULL;
return PROTOCOL_ERR_INSUFF_RESOURCES;
}

int upnp_cleanup(protocol_state_t *state) {
PLUM_LOG_VERBOSE("Cleaning up UPnP state");

upnp_impl_t *impl = state->impl;
closesocket(impl->sock);
free(impl->location_url);
free(impl->control_url);
if (impl) {
closesocket(impl->sock);
free(impl->location_url);
free(impl->control_url);

free(state->impl);
free(state->impl);
}
return PROTOCOL_ERR_SUCCESS;
}

Expand Down

0 comments on commit 2f81d47

Please sign in to comment.