Packet streams: avoid double free if silc_id_id2str fails.
authorKp <kp@valhallalegends.com>
Sun, 1 Jun 2008 17:59:42 +0000 (12:59 -0500)
committerKp <kp@valhallalegends.com>
Mon, 1 Sep 2008 20:14:10 +0000 (15:14 -0500)
In silc_packet_set_ids, the old ID is freed before silc_id_id2str is
called.  If silc_id_id2str fails, then silc_packet_set_ids returns
without resetting the ID pointer.  The pointer is then free, but not
NULL.  When the packet stream is destroyed, silc_packet_stream_destroy
will free the pointer again.  Reset the ID pointer to NULL immediately
after freeing it to prevent this.

lib/silccore/silcpacket.c

index df195f6..614dc89 100644 (file)
@@ -1334,6 +1334,7 @@ SilcBool silc_packet_set_ids(SilcPacketStream stream,
     SILC_LOG_DEBUG(("Setting source ID to packet stream %p", stream));
 
     silc_free(stream->src_id);
+    stream->src_id = NULL;
     if (!silc_id_id2str(src_id, src_id_type, tmp, sizeof(tmp), &len)) {
       silc_mutex_unlock(stream->lock);
       return FALSE;
@@ -1351,6 +1352,7 @@ SilcBool silc_packet_set_ids(SilcPacketStream stream,
     SILC_LOG_DEBUG(("Setting destination ID to packet stream %p", stream));
 
     silc_free(stream->dst_id);
+    stream->dst_id = NULL;
     if (!silc_id_id2str(dst_id, dst_id_type, tmp, sizeof(tmp), &len)) {
       silc_mutex_unlock(stream->lock);
       return FALSE;