From cd5f35ec672934165c20298b2c33f493033267f2 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 1 Feb 2021 22:11:38 +0100
Subject: [PATCH] attach: prevent UAF

Fixes: Coverity 1472761
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/attach.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index e9f35d711..3158d7886 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1190,8 +1190,6 @@ __noreturn static void do_attach(struct attach_payload *ap)
 		TRACE("Prepared terminal file descriptor %d", ap->terminal_pts_fd);
 	}
 
-	put_attach_payload(ap);
-
 	/* Avoid unnecessary syscalls. */
 	if (ctx->setup_ns_uid == ctx->target_ns_uid)
 		ctx->target_ns_uid = LXC_INVALID_UID;
@@ -1210,11 +1208,14 @@ __noreturn static void do_attach(struct attach_payload *ap)
 	if (!lxc_switch_uid_gid(ctx->target_ns_uid, ctx->target_ns_gid))
 		goto on_error;
 
+	put_attach_payload(ap);
+
 	/* We're done, so we can now do whatever the user intended us to do. */
 	_exit(attach_function(attach_function_args));
 
 on_error:
 	ERROR("Failed to attach to container");
+	put_attach_payload(ap);
 	_exit(EXIT_FAILURE);
 }
 
-- 
2.47.2