From 020d7f606b4264ec26bdae8b84d6e85182539ab2 Mon Sep 17 00:00:00 2001 From: David Goulet Date: Tue, 14 May 2013 13:13:53 -0400 Subject: [PATCH] Fix: Read from pointer after free Also, a fd leak is fixed in an error path in the same thread. Issue 1019889 of coverity scan. Signed-off-by: David Goulet --- src/bin/lttng-sessiond/main.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/src/bin/lttng-sessiond/main.c b/src/bin/lttng-sessiond/main.c index efaaf4ffa..6f9834425 100644 --- a/src/bin/lttng-sessiond/main.c +++ b/src/bin/lttng-sessiond/main.c @@ -1380,6 +1380,11 @@ static void *thread_dispatch_ust_registration(void *data) wait_node = zmalloc(sizeof(*wait_node)); if (!wait_node) { PERROR("zmalloc wait_node dispatch"); + ret = close(ust_cmd->sock); + if (ret < 0) { + PERROR("close ust sock dispatch %d", ust_cmd->sock); + } + lttng_fd_put(1, LTTNG_FD_APPS); free(ust_cmd); goto error; } @@ -1427,6 +1432,19 @@ static void *thread_dispatch_ust_registration(void *data) break; } } + + /* + * With no application at this stage the received socket is + * basically useless so close it before we free the cmd data + * structure for good. + */ + if (!app) { + ret = close(ust_cmd->sock); + if (ret < 0) { + PERROR("close ust sock dispatch %d", ust_cmd->sock); + } + lttng_fd_put(1, LTTNG_FD_APPS); + } free(ust_cmd); } @@ -1488,13 +1506,6 @@ static void *thread_dispatch_ust_registration(void *data) rcu_read_unlock(); session_unlock_list(); - } else { - /* Application manager threads are not available. */ - ret = close(ust_cmd->sock); - if (ret < 0) { - PERROR("close ust_cmd sock"); - } - lttng_fd_put(1, LTTNG_FD_APPS); } } while (node != NULL); -- 2.34.1