Skip to content

Commit

Permalink
Merge pull request #18 from past-due/fix_user_after_free
Browse files Browse the repository at this point in the history 
Fix handling protocol->init() failure, fix double-free
  • Loading branch information
@paullouisageneau
paullouisageneau committed Jun 19, 2024
2 parents c111e0a + 347d234 commit c5f5f3c
Show file tree
Hide file tree
Showing 5 changed files with 8 additions and 3 deletions.
3 changes: 3 additions & 0 deletions src/client.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,9 @@ void client_run(client_t *client) {
if (!client->protocol) {
client->protocol = protocols + protocol_num;
err = client->protocol->init(&client->protocol_state);
if (err != PROTOCOL_ERR_SUCCESS) {
client->protocol = NULL;
}
}

if (err == PROTOCOL_ERR_SUCCESS) {
Expand Down
3 changes: 0 additions & 3 deletions src/http.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,6 @@ static int http_perform_rec(const http_request_t *request, http_response_t *resp
int code = 0;
if (sscanf(buffer, "HTTP/%*s %d %*s\n%n", &code, &len) != 1 || code <= 0) {
PLUM_LOG_WARN("Failed to parse HTTP response status");
free(buffer);
goto error;
}

Expand All @@ -170,7 +169,6 @@ static int http_perform_rec(const http_request_t *request, http_response_t *resp
char *headers_end = strstr(headers_begin, "\r\n\r\n");
if (!headers_end) {
PLUM_LOG_WARN("Failed to parse HTTP response headers");
free(buffer);
goto error;
}
headers_end += 2;
Expand Down Expand Up @@ -200,7 +198,6 @@ static int http_perform_rec(const http_request_t *request, http_response_t *resp
response->headers = malloc(headers_size + 1);
if (!response->headers) {
PLUM_LOG_WARN("Failed to allocate memory for HTTP headers, size=%zu", headers_size + 1);
free(buffer);
goto error;
}
memcpy(response->headers, headers_begin, headers_size);
Expand Down
1 change: 1 addition & 0 deletions src/noprotocol.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ int noprotocol_cleanup(protocol_state_t *state) {
cond_destroy(&impl->interrupt_cond);

free(state->impl);
state->impl = NULL;
return PROTOCOL_ERR_SUCCESS;
}

Expand Down
2 changes: 2 additions & 0 deletions src/pcp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ int pcp_init(protocol_state_t *state) {
closesocket(impl->mcast_sock);

free(state->impl);
state->impl = NULL;
return PROTOCOL_ERR_INSUFF_RESOURCES;
}

Expand All @@ -78,6 +79,7 @@ int pcp_cleanup(protocol_state_t *state) {
closesocket(impl->mcast_sock);

free(state->impl);
state->impl = NULL;
return PROTOCOL_ERR_SUCCESS;
}

Expand Down
2 changes: 2 additions & 0 deletions src/upnp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ int upnp_init(protocol_state_t *state) {
closesocket(impl->sock);

free(state->impl);
state->impl = NULL;
return PROTOCOL_ERR_INSUFF_RESOURCES;
}

Expand All @@ -72,6 +73,7 @@ int upnp_cleanup(protocol_state_t *state) {
free(impl->control_url);

free(state->impl);
state->impl = NULL;
return PROTOCOL_ERR_SUCCESS;
}

Expand Down

0 comments on commit c5f5f3c

Please sign in to comment.