Cygwin: fix memory corruption/SEGV if certain socket functions fail

Regression introduced with 2.11.0:

The failure paths in socket, socketpair and accept4 functions and
methods accidentally release *unused* cygheap_fdmanip objects.  The
subsequently called dtable::release method was designed to be called for
*used* cygheap_fdmanip objects only.  Using them on unused objects leads
to NULL pointer member dereferencing.

Worse, the inet/local accept4 methods only release the cygheap_fdmanip
object but neglect to delete the just created fhandler_socket_* object.

Fix this by removing the erroneous release calls in the aforementioned
failure paths and delete the fhandler_socket_* object in accept4 instead.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

1 files changed, 2 insertions, 10 deletions

diff --git a/winsup/cygwin/net.cc b/winsup/cygwin/net.cc
index d152894ee..4494bf71c 100644
--- a/winsup/cygwin/net.cc
+++ b/winsup/cygwin/net.cc
@@ -536,10 +536,7 @@ cygwin_socket (int af, int type, int protocol)
 	  res = fd;
 	}
       else
-	{
-	  delete fh;
-	  fd.release ();
-	}
+	delete fh;
     }
 
 done:
@@ -2314,10 +2311,7 @@ socketpair (int af, int type, int protocol, int sv[2])
 
       cygheap_fdnew fd_out (fd_in, false);
       if (fd_out < 0)
-	{
-	  fd_in.release ();
-	  goto done;
-	}
+	goto done;
 
       fh_in = reinterpret_cast<fhandler_socket *> (build_fh_dev (*dev));
       fh_out = reinterpret_cast<fhandler_socket *> (build_fh_dev (*dev));
@@ -2343,8 +2337,6 @@ socketpair (int af, int type, int protocol, int sv[2])
 	{
 	  delete fh_in;
 	  delete fh_out;
-	  fd_in.release ();
-	  fd_out.release ();
 	}
     }