From eb95f36d3bc955a08e1362834d8ecd74ca4233e8 Mon Sep 17 00:00:00 2001 From: Patrick McCarty Date: Tue, 2 Jan 2018 16:11:47 -0800 Subject: [PATCH] Fix double free issue In commit e18eb69, retrieve_manifests() was refactored to support the mixer integration feature, but it introduced a double free of the "filename" pointer when following certain code paths. One code path to reproduce the issue is when a Manifest.MoM is not present in the state directory, and swupd_curl_check_network() fails. A free(filename) was being called immediately before swupd_curl_check_network(), and then again after jumping to the "out" label for the error condition. Resolve the issue by resetting the filename pointer to NULL after freeing the memory to prevent a later double free. I also reset the url pointer to NULL at the second call site for similar reasoning. Signed-off-by: Patrick McCarty --- src/manifest.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/manifest.c b/src/manifest.c index 7f1c46df9..f8962ae94 100644 --- a/src/manifest.c +++ b/src/manifest.c @@ -544,6 +544,7 @@ static int retrieve_manifests(int current, int version, char *component, struct goto out; } free(filename); + filename = NULL; if (swupd_curl_check_network()) { ret = -ENOSWUPDSERVER; @@ -577,7 +578,9 @@ static int retrieve_manifests(int current, int version, char *component, struct goto untar; } free(filename); + filename = NULL; free(url); + url = NULL; } /* Either we're not on mix or it failed, try curl-ing the file if link didn't work */