git:3.1: srdb1: reset prev_token for safer free on error - sr-dev

11 Apr 2011

Module: sip-router
Branch: 3.1
Commit: 9ec10a2249a8319384a143137bc67770445e2467
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=9ec10a22...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date:   Mon Apr 11 23:52:38 2011 +0200
srdb1: reset prev_token for safer free on error
- if parse_db_url() fails internally, prev_token can point to same
  memory chunk as one of the db id attributes, causing a double-free
(cherry picked from commit 765c17f8c2ef79fd49ec2a74781b49a56aa47c3a)
---
lib/srdb1/db_id.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/lib/srdb1/db_id.c b/lib/srdb1/db_id.c
index d7fcf02..1c9c4b5 100644
--- a/lib/srdb1/db_id.c
+++ b/lib/srdb1/db_id.c
@@ -162,12 +162,14 @@ static int parse_db_url(struct db_id* id, const str* url)
    		case '@':
    			st = ST_HOST;
    			id->username = prev_token;
+				prev_token = 0;
    			if (dupl_string(&id->password, begin, url->s + i) < 0) goto err;
    			begin = url->s + i + 1;
    			break;
case '/':
    			id->host = prev_token;
+				prev_token = 0;
    			id->port = str2s(begin, url->s + i - begin, 0);
    			if (dupl_string(&id->database, url->s + i + 1, url->s + len) < 0) goto err;
    			return 0;
@@ -212,6 +214,7 @@ static int parse_db_url(struct db_id* id, const str* url)
    if (id->password) pkg_free(id->password);
    if (id->host) pkg_free(id->host);
    if (id->database) pkg_free(id->database);
+	memset(id, 0, sizeof(struct db_id));
    if (prev_token) pkg_free(prev_token);
    return -1;
 }

    