[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#19890: [PATCH] Use after free in dld_link on error path

From: Tobias Stoeckmann
Subject: bug#19890: [PATCH] Use after free in dld_link on error path
Date: Tue, 17 Feb 2015 22:42:45 +0100

When dld_link fails, the allocated memory for module (strdup) is
freed, but still returned by vm_open. vm_open is called in
ltdr.c line 444, which checks the error flag only if result is NULL.

Therefore, the error condition of vm_open is ignored and the memory
pointed to by module is used later on.

While fixing this, also set error condition and return NULL if
strdup is unable to allocate memory.
 libltdl/loaders/dld_link.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libltdl/loaders/dld_link.c b/libltdl/loaders/dld_link.c
index a73880f..e95d5e4 100644
--- a/libltdl/loaders/dld_link.c
+++ b/libltdl/loaders/dld_link.c
@@ -111,11 +111,15 @@ vm_open (lt_user_data loader_data LT__UNUSED, const char 
          lt_dladvise advise LT__UNUSED)
   lt_module module = lt__strdup (filename);
-  if (dld_link (filename) != 0)
+  if (module == NULL)
+    {
+    }
+  else if (dld_link (filename) != 0)
       FREE (module);
+      module = NULL;
   return module;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]