Use a single free-and-exit strategy in config_process_include.

This avoids a double-free when a pointer already freed with
tor_free(config_line) is freed again in the cleanup-and-exit code.

Fixes bug 23155.
This commit is contained in:
Nick Mathewson 2017-08-08 20:07:39 -04:00
parent a47b8fcf92
commit 72832086e2
2 changed files with 13 additions and 7 deletions

4
changes/bug23155 Normal file
View File

@ -0,0 +1,4 @@
o Minor bugfixes (stability):
- Avoid crashing on double-free when unable to load or process
an included file. Fixes bug 23155; bugfix on 0.3.1.1-alpha.
Found with the clang static analyzer.

View File

@ -294,24 +294,26 @@ config_process_include(const char *path, int recursion_level, int extended,
return -1;
}
SMARTLIST_FOREACH_BEGIN(config_files, char *, config_file) {
int rv = -1;
SMARTLIST_FOREACH_BEGIN(config_files, const char *, config_file) {
config_line_t *included_list = NULL;
if (config_get_included_list(config_file, recursion_level, extended,
&included_list, list_last) < 0) {
SMARTLIST_FOREACH(config_files, char *, f, tor_free(f));
smartlist_free(config_files);
return -1;
goto done;
}
tor_free(config_file);
*next = included_list;
if (*list_last)
next = &(*list_last)->next;
} SMARTLIST_FOREACH_END(config_file);
smartlist_free(config_files);
*list = ret_list;
return 0;
rv = 0;
done:
SMARTLIST_FOREACH(config_files, char *, f, tor_free(f));
smartlist_free(config_files);
return rv;
}
/**