[PATCH (3.4)] affile: Fix NULL dereference when opening the destination fails.
Viktor Tusa discovered an error in the affile destination driver: if opening the destination failed (for example, due to insufficient permissions), next was set to NULL, and later on, at the end of affile_dd_open_writer() tried to dereferrence it. A simple workaround is to return NULL in case next is NULL. Reported-by: Viktor Tusa <tusa@balabit.hu> Signed-off-by: Gergely Nagy <algernon@balabit.hu> --- modules/affile/affile.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/modules/affile/affile.c b/modules/affile/affile.c index 87767aa..57ccb7a 100644 --- a/modules/affile/affile.c +++ b/modules/affile/affile.c @@ -1052,6 +1052,9 @@ affile_dd_open_writer(gpointer args[]) } } } + if (!next) + return NULL; + next->queue_pending = TRUE; /* we're returning a reference */ return &next->super; -- 1.7.2.5
Gergely Nagy <algernon@balabit.hu> writes:
Viktor Tusa discovered an error in the affile destination driver: if opening the destination failed (for example, due to insufficient permissions), next was set to NULL, and later on, at the end of affile_dd_open_writer() tried to dereferrence it.
A simple workaround is to return NULL in case next is NULL.
Reported-by: Viktor Tusa <tusa@balabit.hu> Signed-off-by: Gergely Nagy <algernon@balabit.hu>
Apparently, this was corrected in 3.3: commit 33de4c3b4de40493544cee3cf3de8bd0e4d76d34 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Sun Jun 12 10:38:18 2011 +0200 [affile] fixed a reference counting problemin the file-open code A reference was leaked whenever the same file got opened from multiple threads at about the same time, causing use-after-free problems. This patch also fixes a possible NULL deref that could happen if the writer couldn't be initialized. Signed-off-by: Viktor Juhasz <jviktor@balabit.hu> Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> -- |8]
participants (1)
-
Gergely Nagy