Module: sip-router
Branch: 3.1
Commit: 9ec10a2249a8319384a143137bc67770445e2467
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=9ec10a2…
Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: Mon Apr 11 23:52:38 2011 +0200
srdb1: reset prev_token for safer free on error
- if parse_db_url() fails internally, prev_token can point to same
memory chunk as one of the db id attributes, causing a double-free
(cherry picked from commit 765c17f8c2ef79fd49ec2a74781b49a56aa47c3a)
---
lib/srdb1/db_id.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/lib/srdb1/db_id.c b/lib/srdb1/db_id.c
index d7fcf02..1c9c4b5 100644
--- a/lib/srdb1/db_id.c
+++ b/lib/srdb1/db_id.c
@@ -162,12 +162,14 @@ static int parse_db_url(struct db_id* id, const str* url)
case '@':
st = ST_HOST;
id->username = prev_token;
+ prev_token = 0;
if (dupl_string(&id->password, begin, url->s + i) < 0) goto err;
begin = url->s + i + 1;
break;
case '/':
id->host = prev_token;
+ prev_token = 0;
id->port = str2s(begin, url->s + i - begin, 0);
if (dupl_string(&id->database, url->s + i + 1, url->s + len) < 0)
goto err;
return 0;
@@ -212,6 +214,7 @@ static int parse_db_url(struct db_id* id, const str* url)
if (id->password) pkg_free(id->password);
if (id->host) pkg_free(id->host);
if (id->database) pkg_free(id->database);
+ memset(id, 0, sizeof(struct db_id));
if (prev_token) pkg_free(prev_token);
return -1;
}