Skip to content
This repository was archived by the owner on Apr 5, 2026. It is now read-only.

Commit cbf5545

Browse files
dvershinindvershinin
committed
fix: use-after-free in free_msg_buffers_chunk_internal
C->free_block_queue was accessed after free(C). The memset(C,0,...) before free() made this "work" (queue pointer was already NULL), but it's still undefined behavior. Save the queue pointer before freeing the chunk. Found by -Werror CI job (GCC 13 -Wuse-after-free).
1 parent 6d8031b commit cbf5545

1 file changed

Lines changed: 4 additions & 3 deletions

File tree

net/net-msg-buffers.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -290,6 +290,8 @@ void free_msg_buffers_chunk_internal (struct msg_buffers_chunk *C, struct msg_bu
290290
__sync_fetch_and_add (&allocated_buffer_chunks, -1);
291291
MODULE_STAT->allocated_buffer_bytes -= MSG_BUFFERS_CHUNK_SIZE;
292292

293+
struct mp_queue *bq = C->free_block_queue;
294+
293295
memset (C, 0, sizeof (struct msg_buffers_chunk));
294296
free (C);
295297

@@ -302,9 +304,8 @@ void free_msg_buffers_chunk_internal (struct msg_buffers_chunk *C, struct msg_bu
302304
if (ChunkSave[si] == C) {
303305
ChunkSave[si] = NULL;
304306
}
305-
306-
free_mp_queue (C->free_block_queue);
307-
C->free_block_queue = NULL;
307+
308+
free_mp_queue (bq);
308309
}
309310

310311

0 commit comments

Comments
 (0)