[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19890: [PATCH] Use after free in dld_link on error path
|
From: |
Tobias Stoeckmann |
|
Subject: |
bug#19890: [PATCH] Use after free in dld_link on error path |
|
Date: |
Tue, 17 Feb 2015 22:42:45 +0100 |
When dld_link fails, the allocated memory for module (strdup) is
freed, but still returned by vm_open. vm_open is called in
ltdr.c line 444, which checks the error flag only if result is NULL.
Therefore, the error condition of vm_open is ignored and the memory
pointed to by module is used later on.
While fixing this, also set error condition and return NULL if
strdup is unable to allocate memory.
---
libltdl/loaders/dld_link.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/libltdl/loaders/dld_link.c b/libltdl/loaders/dld_link.c
index a73880f..e95d5e4 100644
--- a/libltdl/loaders/dld_link.c
+++ b/libltdl/loaders/dld_link.c
@@ -111,11 +111,15 @@ vm_open (lt_user_data loader_data LT__UNUSED, const char
*filename,
lt_dladvise advise LT__UNUSED)
{
lt_module module = lt__strdup (filename);
-
- if (dld_link (filename) != 0)
+ if (module == NULL)
+ {
+ LT__SETERROR (NO_MEMORY);
+ }
+ else if (dld_link (filename) != 0)
{
LT__SETERROR (CANNOT_OPEN);
FREE (module);
+ module = NULL;
}
return module;
--
2.3.0
- bug#19890: [PATCH] Use after free in dld_link on error path,
Tobias Stoeckmann <=