projects / lttng-tools.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix: Read from pointer after free
[lttng-tools.git] / src / bin / lttng-sessiond / main.c
diff --git a/src/bin/lttng-sessiond/main.c b/src/bin/lttng-sessiond/main.c
index 445485b417d5d0b0e0cd6f1de4eaab41336baaf5..6f9834425192c3ca4b1f9f0e184071eb87f68b87 100644 (file)
--- a/src/bin/lttng-sessiond/main.c
+++ b/src/bin/lttng-sessiond/main.c
@@ -232,6 +232,9 @@ static enum consumerd_state kernel_consumerd_state;
  */
 static int app_socket_timeout;
 
+/* Set in main() with the current page size. */
+long page_size;
+
 static
 void setup_consumerd_path(void)
 {
@@ -1377,6 +1380,11 @@ static void *thread_dispatch_ust_registration(void *data)
                                wait_node = zmalloc(sizeof(*wait_node));
                                if (!wait_node) {
                                        PERROR("zmalloc wait_node dispatch");
+                                       ret = close(ust_cmd->sock);
+                                       if (ret < 0) {
+                                               PERROR("close ust sock dispatch %d", ust_cmd->sock);
+                                       }
+                                       lttng_fd_put(1, LTTNG_FD_APPS);
                                        free(ust_cmd);
                                        goto error;
                                }
@@ -1424,6 +1432,19 @@ static void *thread_dispatch_ust_registration(void *data)
                                                break;
                                        }
                                }
+
+                               /*
+                                * With no application at this stage the received socket is
+                                * basically useless so close it before we free the cmd data
+                                * structure for good.
+                                */
+                               if (!app) {
+                                       ret = close(ust_cmd->sock);
+                                       if (ret < 0) {
+                                               PERROR("close ust sock dispatch %d", ust_cmd->sock);
+                                       }
+                                       lttng_fd_put(1, LTTNG_FD_APPS);
+                               }
                                free(ust_cmd);
                        }
 
@@ -1485,13 +1506,6 @@ static void *thread_dispatch_ust_registration(void *data)
 
                                rcu_read_unlock();
                                session_unlock_list();
-                       } else {
-                               /* Application manager threads are not available. */
-                               ret = close(ust_cmd->sock);
-                               if (ret < 0) {
-                                       PERROR("close ust_cmd sock");
-                               }
-                               lttng_fd_put(1, LTTNG_FD_APPS);
                        }
                } while (node != NULL);
 
@@ -2892,6 +2906,7 @@ skip_domain:
 
                ret = setup_lttng_msg(cmd_ctx, nb_dom * sizeof(struct lttng_domain));
                if (ret < 0) {
+                       free(domains);
                        goto setup_error;
                }
 
@@ -2919,6 +2934,7 @@ skip_domain:
 
                ret = setup_lttng_msg(cmd_ctx, nb_chan * sizeof(struct lttng_channel));
                if (ret < 0) {
+                       free(channels);
                        goto setup_error;
                }
 
@@ -2946,6 +2962,7 @@ skip_domain:
 
                ret = setup_lttng_msg(cmd_ctx, nb_event * sizeof(struct lttng_event));
                if (ret < 0) {
+                       free(events);
                        goto setup_error;
                }
 
@@ -3091,6 +3108,10 @@ static void *thread_manage_health(void *data)
 
        rcu_register_thread();
 
+       /* We might hit an error path before this is set once. */
+       memset(&events, 0, sizeof(events));
+       events.epfd = -1;
+
        /* Create unix socket */
        sock = lttcomm_create_unix_sock(health_unix_sock_path);
        if (sock < 0) {
@@ -3443,13 +3464,11 @@ static void *thread_manage_clients(void *data)
                ret = process_client_msg(cmd_ctx, sock, &sock_error);
                rcu_thread_offline();
                if (ret < 0) {
-                       if (sock_error) {
-                               ret = close(sock);
-                               if (ret) {
-                                       PERROR("close");
-                               }
-                               sock = -1;
+                       ret = close(sock);
+                       if (ret) {
+                               PERROR("close");
                        }
+                       sock = -1;
                        /*
                         * TODO: Inform client somehow of the fatal error. At
                         * this point, ret < 0 means that a zmalloc failed
@@ -4038,6 +4057,13 @@ int main(int argc, char **argv)
 
        setup_consumerd_path();
 
+       page_size = sysconf(_SC_PAGESIZE);
+       if (page_size < 0) {
+               PERROR("sysconf _SC_PAGESIZE");
+               page_size = LONG_MAX;
+               WARN("Fallback page size to %ld", page_size);
+       }
+
        /* Parse arguments */
        progname = argv[0];
        if ((ret = parse_args(argc, argv)) < 0) {
LTTng 2.0 tools and control repository
This page took 0.026914 seconds and 4 git commands to generate.