| Zbigniew Jędrzejewski-Szmek | 5d6eedd | 2017-01-31 12:11:17 -0500 | [diff] [blame] | 1 | From 83d9a6e89af9caebe109c5f309c7bc2d82bd8fc4 Mon Sep 17 00:00:00 2001 |
| Zbigniew Jędrzejewski-Szmek | 03e93e2 | 2017-01-29 17:22:41 -0500 | [diff] [blame] | 2 | From: Jan Synacek <jan.synacek@gmail.com> |
| 3 | Date: Tue, 3 Jan 2017 21:34:36 +0100 |
| 4 | Subject: [PATCH] shared: fix double free in unmask (#5005) |
| 5 | |
| 6 | Easily reproducible: |
| 7 | 1) systemctl mask foo |
| 8 | 2) systemctl unmask foo foo |
| 9 | |
| 10 | The problem here is that the *i that is put into todo[] is later freed |
| 11 | in strv_uniq(), which is not directly visible from this patch. Somewhere |
| 12 | further in the code, the string that *i pointed to is freed again. That |
| 13 | happens only when multiple services with the same name/path are specified. |
| 14 | (cherry picked from commit dc7dd61de610e9330abe7014860acfa733887d5e) |
| 15 | --- |
| 16 | src/shared/install.c | 4 ++-- |
| 17 | 1 file changed, 2 insertions(+), 2 deletions(-) |
| 18 | |
| 19 | diff --git a/src/shared/install.c b/src/shared/install.c |
| 20 | index 96fba6e25b..5f0eec3ccb 100644 |
| 21 | --- a/src/shared/install.c |
| 22 | +++ b/src/shared/install.c |
| 23 | @@ -1861,7 +1861,7 @@ int unit_file_unmask( |
| 24 | |
| 25 | _cleanup_lookup_paths_free_ LookupPaths paths = {}; |
| 26 | _cleanup_set_free_free_ Set *remove_symlinks_to = NULL; |
| 27 | - _cleanup_free_ char **todo = NULL; |
| 28 | + _cleanup_strv_free_ char **todo = NULL; |
| 29 | size_t n_todo = 0, n_allocated = 0; |
| 30 | const char *config_path; |
| 31 | char **i; |
| 32 | @@ -1899,7 +1899,7 @@ int unit_file_unmask( |
| 33 | if (!GREEDY_REALLOC0(todo, n_allocated, n_todo + 2)) |
| 34 | return -ENOMEM; |
| 35 | |
| 36 | - todo[n_todo++] = *i; |
| 37 | + todo[n_todo++] = strdup(*i); |
| 38 | } |
| 39 | |
| 40 | strv_uniq(todo); |