Avoid double-free in daemon client cleanup code

diff --git a/ChangeLog b/ChangeLog
index e3f865cf440c95907e29b9f39f42d5b6cecd6c74..4d94a9d57c72808340142e64750cfe16cb480ac0 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Fri May 29 15:34:30 BST 2009 Daniel P. Berrange <berrange@redhat.com>
+
+       * qemud/qemud.c: Set free'd variables to NULL to avoid potential
+       double-free() scenario when client unexpectedly closes connection
+
 Fri May 29 15:26:30 BST 2009 Daniel P. Berrange <berrange@redhat.com>
 
        Win32 portability fixes

diff --git a/qemud/qemud.c b/qemud/qemud.c
index 137556015f274c7af0beb920db0bae27d241bf3f..783dc69927eefe243dfa6674b426348d6e773b03 100644 (file)
--- a/qemud/qemud.c
+++ b/qemud/qemud.c
@@ -1378,7 +1378,10 @@ static int qemudDispatchServer(struct qemud_server *server, struct qemud_socket
  * jobs have finished, then clean it up elsehwere
  */
 void qemudDispatchClientFailure(struct qemud_client *client) {
-    virEventRemoveHandleImpl(client->watch);
+    if (client->watch != -1) {
+        virEventRemoveHandleImpl(client->watch);
+        client->watch = -1;
+    }
 
     /* Deregister event delivery callback */
     if(client->conn) {
@@ -1387,12 +1390,21 @@ void qemudDispatchClientFailure(struct qemud_client *client) {
     }
 
 #if HAVE_SASL
-    if (client->saslconn) sasl_dispose(&client->saslconn);
+    if (client->saslconn) {
+        sasl_dispose(&client->saslconn);
+        client->saslconn = NULL;
+    }
     free(client->saslUsername);
+    client->saslUsername = NULL;
 #endif
-    if (client->tlssession) gnutls_deinit (client->tlssession);
-    close(client->fd);
-    client->fd = -1;
+    if (client->tlssession) {
+        gnutls_deinit (client->tlssession);
+        client->tlssession = NULL;
+    }
+    if (client->fd != -1) {
+        close(client->fd);
+        client->fd = -1;
+    }
 }