diff options
author | Corinna Vinschen <corinna@vinschen.de> | 2018-10-29 18:12:54 +0300 |
---|---|---|
committer | Corinna Vinschen <corinna@vinschen.de> | 2018-10-29 18:32:48 +0300 |
commit | 2bbe8697d8f14eca88d8d45c11a5a58e879a3c0f (patch) | |
tree | 5ed5d900a828966d299f4d420762d678b63573eb /winsup/cygwin/net.cc | |
parent | af85fdd73f6ac87e02ee2872e415e7e89d7111f4 (diff) |
Cygwin: fix memory corruption/SEGV if certain socket functions fail
Regression introduced with 2.11.0:
The failure paths in socket, socketpair and accept4 functions and
methods accidentally release *unused* cygheap_fdmanip objects. The
subsequently called dtable::release method was designed to be called for
*used* cygheap_fdmanip objects only. Using them on unused objects leads
to NULL pointer member dereferencing.
Worse, the inet/local accept4 methods only release the cygheap_fdmanip
object but neglect to delete the just created fhandler_socket_* object.
Fix this by removing the erroneous release calls in the aforementioned
failure paths and delete the fhandler_socket_* object in accept4 instead.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diffstat (limited to 'winsup/cygwin/net.cc')
-rw-r--r-- | winsup/cygwin/net.cc | 12 |
1 files changed, 2 insertions, 10 deletions
diff --git a/winsup/cygwin/net.cc b/winsup/cygwin/net.cc index d152894ee..4494bf71c 100644 --- a/winsup/cygwin/net.cc +++ b/winsup/cygwin/net.cc @@ -536,10 +536,7 @@ cygwin_socket (int af, int type, int protocol) res = fd; } else - { - delete fh; - fd.release (); - } + delete fh; } done: @@ -2314,10 +2311,7 @@ socketpair (int af, int type, int protocol, int sv[2]) cygheap_fdnew fd_out (fd_in, false); if (fd_out < 0) - { - fd_in.release (); - goto done; - } + goto done; fh_in = reinterpret_cast<fhandler_socket *> (build_fh_dev (*dev)); fh_out = reinterpret_cast<fhandler_socket *> (build_fh_dev (*dev)); @@ -2343,8 +2337,6 @@ socketpair (int af, int type, int protocol, int sv[2]) { delete fh_in; delete fh_out; - fd_in.release (); - fd_out.release (); } } |