From: Eric Leblond <eric@regit.org>
Date: Thu, 6 Sep 2012 07:44:31 +0000 (+0200)
Subject: defrag: fix potential use after free.
X-Git-Tag: suricata-1.4beta1~7
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d3824bd1abacde2396231c734ef46b5118f2cb37;p=thirdparty%2Fsuricata.git

defrag: fix potential use after free.

Coverity pointed out that PoolReturn is almost like free and detected
a use after free when accessing to tracker->af (issue 720339).
This patch fixes this by storing the value in a local variable.
---

diff --git a/src/defrag.c b/src/defrag.c
index f78d5b19c5..0e017c677b 100644
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -1042,16 +1042,17 @@ DefragTimeoutTracker(ThreadVars *tv, DecodeThreadVars *dtv, DefragContext *dc,
         tracker = HashListTableGetListData(next);
 
         if (tracker->timeout < (unsigned int)p->ts.tv_sec) {
+            int af_family = tracker->af;
             /* Tracker has timeout out. */
             HashListTableRemove(dc->frag_table, tracker, HASHLIST_NO_SIZE);
             DefragTrackerReset(tracker);
             PoolReturn(dc->tracker_pool, tracker);
             if (tv != NULL && dtv != NULL) {
-                if (tracker->af == AF_INET) {
+                if (af_family == AF_INET) {
                     SCPerfCounterIncr(dtv->counter_defrag_ipv4_timeouts,
                         tv->sc_perf_pca);
                 }
-                else if (tracker->af == AF_INET6) {
+                else if (af_family == AF_INET6) {
                     SCPerfCounterIncr(dtv->counter_defrag_ipv6_timeouts,
                         tv->sc_perf_pca);
                 }