From: Daniel Mack <daniel@zonque.org>
Date: Tue, 7 Oct 2014 09:32:07 +0000 (+0200)
Subject: sd-bus: fix use-after-free in close_kdbus_msg()
X-Git-Tag: v217~297
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=ca794c8e9583eb660f535af32c8c8281a284f270;p=elogind.git

sd-bus: fix use-after-free in close_kdbus_msg()

Walk the items first, then free the memory of the message.

Also, while at it, make coverity happy with an explicit (void) prefix.
We intentionally ignore the return value here.
---

diff --git a/src/libsystemd/sd-bus/bus-kernel.c b/src/libsystemd/sd-bus/bus-kernel.c
index 92407133b..b431d7813 100644
--- a/src/libsystemd/sd-bus/bus-kernel.c
+++ b/src/libsystemd/sd-bus/bus-kernel.c
@@ -808,8 +808,6 @@ static void close_kdbus_msg(sd_bus *bus, struct kdbus_msg *k) {
         cmd.flags = 0;
         cmd.offset = (uint8_t *)k - (uint8_t *)bus->kdbus_buffer;
 
-        ioctl(bus->input_fd, KDBUS_CMD_FREE, &cmd);
-
         KDBUS_ITEM_FOREACH(d, k, items) {
 
                 if (d->type == KDBUS_ITEM_FDS)
@@ -817,6 +815,8 @@ static void close_kdbus_msg(sd_bus *bus, struct kdbus_msg *k) {
                 else if (d->type == KDBUS_ITEM_PAYLOAD_MEMFD)
                         safe_close(d->memfd.fd);
         }
+
+        (void) ioctl(bus->input_fd, KDBUS_CMD_FREE, &cmd);
 }
 
 int bus_kernel_write_message(sd_bus *bus, sd_bus_message *m, bool hint_sync_call) {