From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jan Pokorný Date: Mon, 2 Apr 2012 12:06:18 +0200 Subject: [Cluster-devel] [PATCH 1/2] resrules: fix free while passing the pointer to caller In-Reply-To: <20120402095934.GA18543@redhat.com> References: <20120402095934.GA18543@redhat.com> Message-ID: <20120402100618.GA19756@redhat.com> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit The version ("OCF API Version" as declared in the code) for resource rules cannot be obtained correctly as the memory is being immediately freed before passing up to the caller. What's worse, the caller could then access uninitialized memory through this pointer (print_resource_rule and especially destroy_resource_rule which could lead to crash easily, IMHO). The patch fixes this, making no difference between success and failure in getting the version. Both should be handled correctly when either dumping resource rule or destroying it. Aside: was this version field ever actively used or is this a legacy part not expected to be triggered? [ I have no test case at hand, this was random spot, sorry. ] Signed-off-by: Jan Pokorn? --- resrules.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) diff --git a/resrules.c b/resrules.c index cc59e30..581be9e 100644 --- a/resrules.c +++ b/resrules.c @@ -205,11 +205,8 @@ _get_version(xmlDocPtr doc, xmlXPathContextPtr ctx, char *base, snprintf(xpath, sizeof(xpath), "%s/@version", base); ret = xpath_get_one(doc, ctx, xpath); - if (ret) { - rr->rr_version = ret; - free(ret); - } - rr->rr_version = NULL; + /* NULL or actual result of the query */ + rr->rr_version = ret; }