Fix use after free in pipe_dtor(). PIPE_NAMED flag must be tested
before pipeclose() is called, since for !PIPE_NAMED case, when peer is already closed, the pipe pair memory is freed. Submitted by: luke.tw@gmail.com PR: 197246 Tested by: pho MFC after: 3 days
This commit is contained in:
parent
7a5cf9ac76
commit
04052a24ca
@ -377,15 +377,16 @@ pipe_named_ctor(struct pipe **ppipe, struct thread *td)
|
||||
void
|
||||
pipe_dtor(struct pipe *dpipe)
|
||||
{
|
||||
struct pipe *peer;
|
||||
ino_t ino;
|
||||
|
||||
ino = dpipe->pipe_ino;
|
||||
peer = (dpipe->pipe_state & PIPE_NAMED) != 0 ? dpipe->pipe_peer : NULL;
|
||||
funsetown(&dpipe->pipe_sigio);
|
||||
pipeclose(dpipe);
|
||||
if (dpipe->pipe_state & PIPE_NAMED) {
|
||||
dpipe = dpipe->pipe_peer;
|
||||
funsetown(&dpipe->pipe_sigio);
|
||||
pipeclose(dpipe);
|
||||
if (peer != NULL) {
|
||||
funsetown(&peer->pipe_sigio);
|
||||
pipeclose(peer);
|
||||
}
|
||||
if (ino != 0 && ino != (ino_t)-1)
|
||||
free_unr(pipeino_unr, ino);
|
||||
|
Loading…
x
Reference in New Issue
Block a user