GNU bug report logs - #19890
[PATCH] Use after free in dld_link on error path

Previous Next

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tobias Stoeckmann <tobias <at> stoeckmann.org>
To: bug-libtool <at> gnu.org
Subject: [PATCH] Use after free in dld_link on error path
Date: Tue, 17 Feb 2015 22:42:45 +0100

When dld_link fails, the allocated memory for module (strdup) is
freed, but still returned by vm_open. vm_open is called in
ltdr.c line 444, which checks the error flag only if result is NULL.

Therefore, the error condition of vm_open is ignored and the memory
pointed to by module is used later on.

While fixing this, also set error condition and return NULL if
strdup is unable to allocate memory.
---
 libltdl/loaders/dld_link.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libltdl/loaders/dld_link.c b/libltdl/loaders/dld_link.c
index a73880f..e95d5e4 100644
--- a/libltdl/loaders/dld_link.c
+++ b/libltdl/loaders/dld_link.c
@@ -111,11 +111,15 @@ vm_open (lt_user_data loader_data LT__UNUSED, const char *filename,
          lt_dladvise advise LT__UNUSED)
 {
   lt_module module = lt__strdup (filename);
-
-  if (dld_link (filename) != 0)
+  if (module == NULL)
+    {
+      LT__SETERROR (NO_MEMORY);
+    }
+  else if (dld_link (filename) != 0)
     {
       LT__SETERROR (CANNOT_OPEN);
       FREE (module);
+      module = NULL;
     }
 
   return module;
-- 
2.3.0

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.