replsess: fix double free of sendbuf in some cases.

In iRet handler of relpSessSendResponse, the sendbuf was freed if iRet returned a failure. However if error RELP_RET_IO_ERR happened in relpSendqAddBuf, sendbuf was already assigned to relpSendqe_t. As a result sendbuf was double freed in relpSendqDestruct. see also rsyslog/rsyslog#4184 rsyslog/rsyslog#4005 closes #183
rsyslog · Apr 9, 2020 · 4a6ad86 · 4a6ad86
1 parent 78658fd
commit 4a6ad86
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/src/relpsess.c b/src/relpsess.c
@@ -329,10 +329,15 @@ relpSessSendResponse(relpSess_t *pThis, relpTxnr_t txnr, unsigned char *pData, s
 			callOnErr(pThis, "io error, session broken", RELP_RET_SESSION_BROKEN);
 			pThis->pEngine->dbgprint("relp session %p is broken, io error\n", (void*)pThis);
 			pThis->sessState = eRelpSessState_BROKEN;
-			}
+		} else {
+			/*	alorbach, 2020-04-08:
+			*		Only free sendbuf if error is not RELP_RET_IO_ERR!
+			*		otherwise the buffer is double freed in relpSendbufDestruct() (sendbuf.c)
+			*/
+			if(pSendbuf != NULL)
+				relpSendbufDestruct(&pSendbuf);
+		}
 
-		if(pSendbuf != NULL)
-			relpSendbufDestruct(&pSendbuf);
 	}
 
 	LEAVE_RELPFUNC;