From 4292fe7795cb3abfabb7196783779794c97ceb5c Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Tue, 10 Nov 2009 00:32:17 +0100
Subject: Fix a segfault in insert_acl and checks against string-type acls

The "address" member of struct acl_s is a union of a char *
and the numeric ip. So freeing the string after appending it to the
vector list is bad in two respects:

1. If the acl type was numeric, then this could (and would)
   lead to a segfault due to the numeric IP data interpreted
   as pointer to the string to be freed.

2. If the acl type was string, then the acl inserted into the
   list contained a reference to this address string that
   was freed. So in the worst case dereferencing this freed
   string could segfault, or at least this could lead to
   unexpectedly failing acl checks.

Michael
---
 src/acl.c | 4 ----
 1 file changed, 4 deletions(-)

(limited to 'src')

diff --git a/src/acl.c b/src/acl.c
index 6f0418e..5802769 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -179,11 +179,7 @@ int insert_acl (char *location, acl_access_t access_type)
                 }
         }
 
-        /*
-         * Add the entry and then clean up.
-         */
         ret = vector_append (access_list, &acl, sizeof (struct acl_s));
-        safefree (acl.address.string);
         return ret;
 }
 
-- 
cgit v1.2.3