commit 72832086e2144158308b30133aa15b39f0d2eb5d Author: Nick Mathewson <nickm@torproject.org> Date: Tue Aug 8 20:07:39 2017 -0400 Use a single free-and-exit strategy in config_process_include. This avoids a double-free when a pointer already freed with tor_free(config_line) is freed again in the cleanup-and-exit code. Fixes bug 23155. --- changes/bug23155 | 4 ++++ src/common/confline.c | 16 +++++++++------- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/changes/bug23155 b/changes/bug23155 new file mode 100644 index 000000000..4c24ab136 --- /dev/null +++ b/changes/bug23155 @@ -0,0 +1,4 @@ + o Minor bugfixes (stability): + - Avoid crashing on double-free when unable to load or process + an included file. Fixes bug 23155; bugfix on 0.3.1.1-alpha. + Found with the clang static analyzer. diff --git a/src/common/confline.c b/src/common/confline.c index 691cbf8c6..15fd96bf3 100644 --- a/src/common/confline.c +++ b/src/common/confline.c @@ -294,24 +294,26 @@ config_process_include(const char *path, int recursion_level, int extended, return -1; } - SMARTLIST_FOREACH_BEGIN(config_files, char *, config_file) { + int rv = -1; + SMARTLIST_FOREACH_BEGIN(config_files, const char *, config_file) { config_line_t *included_list = NULL; if (config_get_included_list(config_file, recursion_level, extended, &included_list, list_last) < 0) { - SMARTLIST_FOREACH(config_files, char *, f, tor_free(f)); - smartlist_free(config_files); - return -1; + goto done; } - tor_free(config_file); *next = included_list; if (*list_last) next = &(*list_last)->next; } SMARTLIST_FOREACH_END(config_file); - smartlist_free(config_files); *list = ret_list; - return 0; + rv = 0; + + done: + SMARTLIST_FOREACH(config_files, char *, f, tor_free(f)); + smartlist_free(config_files); + return rv; } /**