From 3661cbc69ce24b5230c8602b24927eb841933b5e Mon Sep 17 00:00:00 2001 From: Kp Date: Sun, 1 Jun 2008 12:59:42 -0500 Subject: [PATCH] Packet streams: avoid double free if silc_id_id2str fails. In silc_packet_set_ids, the old ID is freed before silc_id_id2str is called. If silc_id_id2str fails, then silc_packet_set_ids returns without resetting the ID pointer. The pointer is then free, but not NULL. When the packet stream is destroyed, silc_packet_stream_destroy will free the pointer again. Reset the ID pointer to NULL immediately after freeing it to prevent this. --- lib/silccore/silcpacket.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/silccore/silcpacket.c b/lib/silccore/silcpacket.c index df195f67..614dc894 100644 --- a/lib/silccore/silcpacket.c +++ b/lib/silccore/silcpacket.c @@ -1334,6 +1334,7 @@ SilcBool silc_packet_set_ids(SilcPacketStream stream, SILC_LOG_DEBUG(("Setting source ID to packet stream %p", stream)); silc_free(stream->src_id); + stream->src_id = NULL; if (!silc_id_id2str(src_id, src_id_type, tmp, sizeof(tmp), &len)) { silc_mutex_unlock(stream->lock); return FALSE; @@ -1351,6 +1352,7 @@ SilcBool silc_packet_set_ids(SilcPacketStream stream, SILC_LOG_DEBUG(("Setting destination ID to packet stream %p", stream)); silc_free(stream->dst_id); + stream->dst_id = NULL; if (!silc_id_id2str(dst_id, dst_id_type, tmp, sizeof(tmp), &len)) { silc_mutex_unlock(stream->lock); return FALSE; -- 2.24.0