From 2886e469e7aa7ff212a2777f268f056df85fd356 Mon Sep 17 00:00:00 2001 From: Mathieu Desnoyers Date: Tue, 22 Sep 2020 16:38:51 -0400 Subject: [PATCH] Fix: ustctl_release_object: eliminate double-close/free on error When ustctl_release_object returns an error, it is unclear to the caller what close/free side effects were effectively performed and which were not. So the only courses of action are to either leak file descriptors or memory, or call ustctl_release_object again which can trigger double close or double free. Fix this by setting the file descriptors to -1 after successful close, and pointers to NULL after successful free. Signed-off-by: Mathieu Desnoyers --- liblttng-ust-ctl/ustctl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/liblttng-ust-ctl/ustctl.c b/liblttng-ust-ctl/ustctl.c index 9e650466..b637934f 100644 --- a/liblttng-ust-ctl/ustctl.c +++ b/liblttng-ust-ctl/ustctl.c @@ -109,8 +109,10 @@ int ustctl_release_object(int sock, struct lttng_ust_object_data *data) ret = -errno; return ret; } + data->u.channel.wakeup_fd = -1; } free(data->u.channel.data); + data->u.channel.data = NULL; break; case LTTNG_UST_OBJECT_TYPE_STREAM: if (data->u.stream.shm_fd >= 0) { @@ -119,6 +121,7 @@ int ustctl_release_object(int sock, struct lttng_ust_object_data *data) ret = -errno; return ret; } + data->u.stream.shm_fd = -1; } if (data->u.stream.wakeup_fd >= 0) { ret = close(data->u.stream.wakeup_fd); @@ -126,6 +129,7 @@ int ustctl_release_object(int sock, struct lttng_ust_object_data *data) ret = -errno; return ret; } + data->u.stream.wakeup_fd = -1; } break; case LTTNG_UST_OBJECT_TYPE_EVENT: -- 2.34.1