vici: Don't pass stack variable to thread cleanup handler

The variable seems to get overwritten during cleanup, causing a
segmentation fault because either the pointer and/or the length is
invalid.

diff --git a/src/libcharon/plugins/vici/vici_socket.c b/src/libcharon/plugins/vici/vici_socket.c
index 39d34e4d3ea9631b6cb08738a1ec67bd58144e5c..156f0c89dc42be0216eff43d8fce344d68032240 100644 (file)
--- a/src/libcharon/plugins/vici/vici_socket.c
+++ b/src/libcharon/plugins/vici/vici_socket.c
@@ -480,6 +480,15 @@ static bool do_read(private_vici_socket_t *this, entry_t *entry,
        return TRUE;
 }
 
+/**
+ * Clear the given chunk and free it
+ */
+static void destroy_request_chunk(chunk_t *chunk)
+{
+       chunk_clear(chunk);
+       free(chunk);
+}
+
 /**
  * Callback processing incoming requests in strict order
  */
@@ -487,7 +496,7 @@ CALLBACK(process_queue, job_requeue_t,
        entry_selector_t *sel)
 {
        entry_t *entry;
-       chunk_t chunk;
+       chunk_t *chunk;
        bool found;
        u_int id;
 
@@ -499,7 +508,8 @@ CALLBACK(process_queue, job_requeue_t,
                        break;
                }
 
-               found = array_remove(entry->queue, ARRAY_HEAD, &chunk);
+               INIT(chunk);
+               found = array_remove(entry->queue, ARRAY_HEAD, chunk);
                if (!found)
                {
                        entry->has_processor = FALSE;
@@ -508,11 +518,12 @@ CALLBACK(process_queue, job_requeue_t,
                put_entry(sel->this, entry, TRUE, FALSE);
                if (!found)
                {
+                       free(chunk);
                        break;
                }
 
-               thread_cleanup_push((void*)chunk_clear, &chunk);
-               sel->this->inbound(sel->this->user, id, chunk);
+               thread_cleanup_push((void*)destroy_request_chunk, chunk);
+               sel->this->inbound(sel->this->user, id, *chunk);
                thread_cleanup_pop(TRUE);
        }
        return JOB_REQUEUE_NONE;