Skip to content
This repository was archived by the owner on Mar 31, 2026. It is now read-only.

Commit 53a5b10

Browse files
dvershinindvershinin
committed
fix: use-after-free in free_msg_buffers_chunk_internal
C->free_block_queue was accessed after free(C). The memset(C,0,...) before free() made this "work" (queue pointer was already NULL), but it's still undefined behavior. Save the queue pointer before freeing the chunk. Found by -Werror CI job (GCC 13 -Wuse-after-free).
1 parent c69b447 commit 53a5b10

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

net/net-msg-buffers.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -290,6 +290,8 @@ void free_msg_buffers_chunk_internal (struct msg_buffers_chunk *C, struct msg_bu
290290
__sync_fetch_and_add (&allocated_buffer_chunks, -1);
291291
MODULE_STAT->allocated_buffer_bytes -= MSG_BUFFERS_CHUNK_SIZE;
292292

293+
struct mp_queue *bq = C->free_block_queue;
294+
293295
memset (C, 0, sizeof (struct msg_buffers_chunk));
294296
free (C);
295297

@@ -302,9 +304,8 @@ void free_msg_buffers_chunk_internal (struct msg_buffers_chunk *C, struct msg_bu
302304
if (ChunkSave[si] == C) {
303305
ChunkSave[si] = NULL;
304306
}
305-
306-
free_mp_queue (C->free_block_queue);
307-
C->free_block_queue = NULL;
307+
308+
free_mp_queue (bq);
308309
}
309310

310311

0 commit comments

Comments
 (0)