nspawn-oci: fix double free

author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Fri, 22 Mar 2019 16:23:49 +0000 (17:23 +0100)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Fri, 22 Mar 2019 16:39:12 +0000 (17:39 +0100)
author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Fri, 22 Mar 2019 16:23:49 +0000 (17:23 +0100)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Fri, 22 Mar 2019 16:39:12 +0000 (17:39 +0100)
diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c

index ab69f24c54e1cefad4088abd4b6e7dd38067bc2e..476cb0779e7ec239fdd3b15c63f866de34b4a6fb 100644 (file)
--- a/src/nspawn/nspawn-settings.c
+++ b/src/nspawn/nspawn-settings.c
@@ -110,7 +110,7 @@ static void free_oci_hooks(OciHook *h, size_t n) {
          free(h);
  }
  
-void device_node_free_many(DeviceNode *node, size_t n) {
+void device_node_array_free(DeviceNode *node, size_t n) {
          size_t i;
  
          for (i = 0; i < n; i++)
@@ -156,8 +156,7 @@ Settings* settings_free(Settings *s) {
          sd_bus_message_unref(s->properties);
  
          free(s->supplementary_gids);
-        device_node_free_many(s->extra_nodes, s->n_extra_nodes);
-        free(s->extra_nodes);
+        device_node_array_free(s->extra_nodes, s->n_extra_nodes);
          free(s->network_namespace_path);
  
          strv_free(s->sysctl);
diff --git a/src/nspawn/nspawn-settings.h b/src/nspawn/nspawn-settings.h

index cc802f77afadee6554e72c80f864b6e3884ee3b9..231082706d4199c206e0f33edc05f48e831acd15 100644 (file)
--- a/src/nspawn/nspawn-settings.h
+++ b/src/nspawn/nspawn-settings.h
@@ -254,4 +254,4 @@ TimezoneMode timezone_mode_from_string(const char *s) _pure_;
  
  int parse_link_journal(const char *s, LinkJournal *ret_mode, bool *ret_try);
  
-void device_node_free_many(DeviceNode *node, size_t n);
+void device_node_array_free(DeviceNode *node, size_t n);
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c

index f3842f70c65106459d3a29fe6de1ff3a32278a4d..8e6780d54bcc205d645321b9e76aa6b8a37a2b3a 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3958,7 +3958,7 @@ static int merge_settings(Settings *settings, const char *path) {
          arg_console_width = settings->console_width;
          arg_console_height = settings->console_height;
  
-        device_node_free_many(arg_extra_nodes, arg_n_extra_nodes);
+        device_node_array_free(arg_extra_nodes, arg_n_extra_nodes);
          arg_extra_nodes = TAKE_PTR(settings->extra_nodes);
          arg_n_extra_nodes = settings->n_extra_nodes;
  
@@ -5070,7 +5070,7 @@ finish:
          custom_mount_free_all(arg_custom_mounts, arg_n_custom_mounts);
          expose_port_free_all(arg_expose_ports);
          rlimit_free_all(arg_rlimit);
-        device_node_free_many(arg_extra_nodes, arg_n_extra_nodes);
+        device_node_array_free(arg_extra_nodes, arg_n_extra_nodes);
  
          if (r < 0)
                  return r;
diff --git a/test/fuzz/fuzz-nspawn-oci/crash-bffbd2085d4e95c47e9749b3f4a2dbc0580c20d3 b/test/fuzz/fuzz-nspawn-oci/crash-bffbd2085d4e95c47e9749b3f4a2dbc0580c20d3

new file mode 100644 (file)

index 0000000..22e42d3
--- /dev/null
+++ b/test/fuzz/fuzz-nspawn-oci/crash-bffbd2085d4e95c47e9749b3f4a2dbc0580c20d3
@@ -0,0 +1,5 @@
+{"ociVersion": "1.0.0",
+"linux": {"devices": [     {  "access": "mmmw;r"}
+] }, "e": "}e"
+  }
+ 
+\ No newline at end of file
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Fri, 22 Mar 2019 16:23:49 +0000 (17:23 +0100)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Fri, 22 Mar 2019 16:39:12 +0000 (17:39 +0100)
src/nspawn/nspawn-settings.c		patch \| blob \| blame \| history
src/nspawn/nspawn-settings.h		patch \| blob \| blame \| history
src/nspawn/nspawn.c		patch \| blob \| blame \| history
test/fuzz/fuzz-nspawn-oci/crash-bffbd2085d4e95c47e9749b3f4a2dbc0580c20d3	[new file with mode: 0644]	patch \| blob