From b3bb62dcbdac29ebe1669419a86da060d5be619b Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Mon, 8 Jul 2019 15:58:40 +0200 Subject: Fix double free regarding iq handlers --- src/xmpp/iq.c | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/src/xmpp/iq.c b/src/xmpp/iq.c index e31f3269..23048b8d 100644 --- a/src/xmpp/iq.c +++ b/src/xmpp/iq.c @@ -214,7 +214,6 @@ _iq_handler(xmpp_conn_t *const conn, xmpp_stanza_t *const stanza, void *const us if (handler) { int keep = handler->func(stanza, handler->userdata); if (!keep) { - free(handler); g_hash_table_remove(id_handlers, id); } } @@ -235,19 +234,8 @@ iq_handlers_init(void) xmpp_timed_handler_add(conn, _autoping_timed_send, millis, ctx); } - if (id_handlers) { - GList *keys = g_hash_table_get_keys(id_handlers); - GList *curr = keys; - while (curr) { - ProfIqHandler *handler = g_hash_table_lookup(id_handlers, curr->data); - if (handler->free_func && handler->userdata) { - handler->free_func(handler->userdata); - } - curr = g_list_next(curr); - } - g_list_free(keys); - g_hash_table_destroy(id_handlers); - } + iq_handlers_clear(); + id_handlers = g_hash_table_new_full(g_str_hash, g_str_equal, free, (GDestroyNotify)_iq_id_handler_free); rooms_cache = g_hash_table_new_full(g_str_hash, g_str_equal, free, (GDestroyNotify)xmpp_stanza_release); } @@ -257,6 +245,7 @@ iq_handlers_clear() { if (id_handlers) { g_hash_table_remove_all(id_handlers); + id_handlers = NULL; } } @@ -344,6 +333,7 @@ iq_rooms_cache_clear(void) { if (rooms_cache) { g_hash_table_remove_all(rooms_cache); + rooms_cache = NULL; } } -- cgit 1.4.1-2-gfad0 From 7af85d0fe0fdebb48928385e2afacbdac91bb420 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Mon, 8 Jul 2019 16:33:58 +0200 Subject: Fix double free in omemo_start_device_session_handle_bundle() omemo_key_free() was called to free the key. It free the key->data too. But in same cases this was not set yet. So we need to set the data to NULL (or use calloc) at initialization so that omemo_key_free() only frees it if it was actually allocated. Regards https://github.com/profanity-im/profanity/issues/1148 --- src/xmpp/omemo.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/xmpp/omemo.c b/src/xmpp/omemo.c index e44cc00e..99f4785d 100644 --- a/src/xmpp/omemo.c +++ b/src/xmpp/omemo.c @@ -165,6 +165,7 @@ omemo_start_device_session_handle_bundle(xmpp_stanza_t *const stanza, void *cons xmpp_stanza_t *prekey; for (prekey = xmpp_stanza_get_children(prekeys); prekey != NULL; prekey = xmpp_stanza_get_next(prekey)) { omemo_key_t *key = malloc(sizeof(omemo_key_t)); + key->data = NULL; const char *prekey_id_text = xmpp_stanza_get_attribute(prekey, "preKeyId"); if (!prekey_id_text) { -- cgit 1.4.1-2-gfad0 From 89d8fc846e17001551c7830524229820665e3abe Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Tue, 9 Jul 2019 09:47:35 +0200 Subject: Fix double free in room id handler Free is done in destructor now. Regards https://github.com/profanity-im/profanity/issues/1148 --- src/xmpp/iq.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'src') diff --git a/src/xmpp/iq.c b/src/xmpp/iq.c index 23048b8d..6e89307f 100644 --- a/src/xmpp/iq.c +++ b/src/xmpp/iq.c @@ -2069,8 +2069,6 @@ _room_info_response_id_handler(xmpp_stanza_t *const stanza, void *const userdata mucwin_room_info_error(mucwin, error_message); free(error_message); } - free(cb_data->room); - free(cb_data); return 0; } @@ -2136,9 +2134,6 @@ _room_info_response_id_handler(xmpp_stanza_t *const stanza, void *const userdata g_slist_free_full(identities, (GDestroyNotify)_identity_destroy); } - free(cb_data->room); - free(cb_data); - return 0; } @@ -2448,8 +2443,8 @@ iq_send_stanza(xmpp_stanza_t *const stanza) xmpp_send_raw_string(conn, "%s", text); } xmpp_free(connection_get_ctx(), text); - } + static void _iq_free_room_data(ProfRoomInfoData *roominfo) { -- cgit 1.4.1-2-gfad0