diff options
| author | Michael Adam <obnox@samba.org> | 2009-11-10 00:32:17 +0100 |
|---|---|---|
| committer | Michael Adam <obnox@samba.org> | 2009-11-10 00:37:57 +0100 |
| commit | 4292fe7795cb3abfabb7196783779794c97ceb5c (patch) | |
| tree | 159355c8ce6b7c6eb43d91e6c2a8f7e727f2c03d | |
| parent | 2b73e2183f2a31b4c267fe5991747c8cd55b8b2d (diff) | |
| download | tinyproxy-4292fe7795cb3abfabb7196783779794c97ceb5c.tar.gz tinyproxy-4292fe7795cb3abfabb7196783779794c97ceb5c.zip | |
Fix a segfault in insert_acl and checks against string-type acls
The "address" member of struct acl_s is a union of a char *
and the numeric ip. So freeing the string after appending it to the
vector list is bad in two respects:
1. If the acl type was numeric, then this could (and would)
lead to a segfault due to the numeric IP data interpreted
as pointer to the string to be freed.
2. If the acl type was string, then the acl inserted into the
list contained a reference to this address string that
was freed. So in the worst case dereferencing this freed
string could segfault, or at least this could lead to
unexpectedly failing acl checks.
Michael
| -rw-r--r-- | src/acl.c | 4 |
1 files changed, 0 insertions, 4 deletions
@@ -179,11 +179,7 @@ int insert_acl (char *location, acl_access_t access_type) } } - /* - * Add the entry and then clean up. - */ ret = vector_append (access_list, &acl, sizeof (struct acl_s)); - safefree (acl.address.string); return ret; } |