1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
From cb67aebd63d9f0077cbf3e769f0b223c5bba20ac Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Sun, 16 Dec 2018 20:58:35 -0800
Subject: [PATCH 2/2] core: Fix use after free case in load_from_path()
ensure that mfree() on filename is called after the logging function
which uses the string pointed by filename
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/11179]
src/core/load-fragment.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index fc5644f48..da585786e 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -4531,7 +4531,6 @@ static int load_from_path(Unit *u, const char *path) {
r = open_follow(&filename, &f, symlink_names, &id);
if (r >= 0)
break;
- filename = mfree(filename);
/* ENOENT means that the file is missing or is a dangling symlink.
* ENOTDIR means that one of paths we expect to be is a directory
@@ -4540,9 +4539,12 @@ static int load_from_path(Unit *u, const char *path) {
*/
if (r == -EACCES)
log_debug_errno(r, "Cannot access \"%s\": %m", filename);
- else if (!IN_SET(r, -ENOENT, -ENOTDIR))
+ else if (!IN_SET(r, -ENOENT, -ENOTDIR)) {
+ filename = mfree(filename);
return r;
+ }
+ filename = mfree(filename);
/* Empty the symlink names for the next run */
set_clear_free(symlink_names);
}
--
2.20.1
|
