git.ipfire.org Git - thirdparty/systemd.git/commit

author	Yu Watanabe <watanabe.yu+github@gmail.com>
	Tue, 2 Jan 2024 19:19:33 +0000 (04:19 +0900)
committer	Yu Watanabe <watanabe.yu+github@gmail.com>
	Tue, 2 Jan 2024 23:41:36 +0000 (08:41 +0900)
commit	6ba147485e09de649d5b13e0c341688a04403d40
tree	e78c2a4e28a97993a5854eada1ef086522402707	tree \| snapshot
parent	ff49e703ff92cb018e9184ad829e554b06c4ad75	commit \| diff

network/queue: fix potential double-free on oom

Currently, link_queue_request_safe(), which is a wrapper of
request_new(), is called with a free function at
- link_request_stacked_netdev() at netdev/netdev.c,
- link_request_address() at networkd-address.c,
- link_request_nexthop() at networkd-nexthop.c,
- link_request_neighbor() at networkd-networkd.c.

For the netdev case, the reference counter of the passed object is increased
only when the function returns 1. So, on failure (with -ENOMEM)
previously we unexpectedly dropped the reference of the NetDev object.
Similarly, for Address and friends, the ownership of the object is moved to the
Request object only when the function returns 1. And on failure, previously
the object was freed twice.

Also, netdev_queue_request(), which is another wrapper of request_new()
potentially leaks memory when the same NetDev object is queued twice.
Fortunately, that should not happen as the function is called only once
per object.

This fixes the above issue, and now the ownership or the reference
counter of the object is changed only when it is succeeded with 1.