| Brad Bishop | 977dc1a | 2019-02-06 16:01:43 -0500 | [diff] [blame] | 1 | From cb67aebd63d9f0077cbf3e769f0b223c5bba20ac Mon Sep 17 00:00:00 2001 |
| 2 | From: Khem Raj <raj.khem@gmail.com> |
| 3 | Date: Sun, 16 Dec 2018 20:58:35 -0800 |
| 4 | Subject: [PATCH 2/2] core: Fix use after free case in load_from_path() |
| 5 | |
| 6 | ensure that mfree() on filename is called after the logging function |
| 7 | which uses the string pointed by filename |
| 8 | |
| 9 | Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| 10 | --- |
| 11 | Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/11179] |
| 12 | src/core/load-fragment.c | 6 ++++-- |
| 13 | 1 file changed, 4 insertions(+), 2 deletions(-) |
| 14 | |
| 15 | diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c |
| 16 | index fc5644f48..da585786e 100644 |
| 17 | --- a/src/core/load-fragment.c |
| 18 | +++ b/src/core/load-fragment.c |
| 19 | @@ -4531,7 +4531,6 @@ static int load_from_path(Unit *u, const char *path) { |
| 20 | r = open_follow(&filename, &f, symlink_names, &id); |
| 21 | if (r >= 0) |
| 22 | break; |
| 23 | - filename = mfree(filename); |
| 24 | |
| 25 | /* ENOENT means that the file is missing or is a dangling symlink. |
| 26 | * ENOTDIR means that one of paths we expect to be is a directory |
| 27 | @@ -4540,9 +4539,12 @@ static int load_from_path(Unit *u, const char *path) { |
| 28 | */ |
| 29 | if (r == -EACCES) |
| 30 | log_debug_errno(r, "Cannot access \"%s\": %m", filename); |
| 31 | - else if (!IN_SET(r, -ENOENT, -ENOTDIR)) |
| 32 | + else if (!IN_SET(r, -ENOENT, -ENOTDIR)) { |
| 33 | + filename = mfree(filename); |
| 34 | return r; |
| 35 | + } |
| 36 | |
| 37 | + filename = mfree(filename); |
| 38 | /* Empty the symlink names for the next run */ |
| 39 | set_clear_free(symlink_names); |
| 40 | } |
| 41 | -- |
| 42 | 2.20.1 |
| 43 | |