Module: sip-router Branch: master Commit: 765c17f8c2ef79fd49ec2a74781b49a56aa47c3a URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=765c17f… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: Mon Apr 11 23:52:38 2011 +0200 srdb1: reset prev_token for safer free on error - if parse_db_url() fails internally, prev_token can point to same memory chunk as one of the db id attributes, causing a double-free --- lib/srdb1/db_id.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/lib/srdb1/db_id.c b/lib/srdb1/db_id.c index 6b0bb66..8c8b2a3 100644 --- a/lib/srdb1/db_id.c +++ b/lib/srdb1/db_id.c @@ -162,12 +162,14 @@ static int parse_db_url(struct db_id* id, const str* url) case '@': st = ST_HOST; id->username = prev_token; + prev_token = 0; if (dupl_string(&id->password, begin, url->s + i) < 0) goto err; begin = url->s + i + 1; break; case '/': id->host = prev_token; + prev_token = 0; id->port = str2s(begin, url->s + i - begin, 0); if (dupl_string(&id->database, url->s + i + 1, url->s + len) < 0) goto err; return 0; @@ -213,6 +215,7 @@ static int parse_db_url(struct db_id* id, const str* url) if (id->password) pkg_free(id->password); if (id->host) pkg_free(id->host); if (id->database) pkg_free(id->database); + memset(id, 0, sizeof(struct db_id)); if (prev_token) pkg_free(prev_token); end: return -1;