From 44377c6a5ca96ec6334619d49d6a4f486c5a8d21 Mon Sep 17 00:00:00 2001 From: Dmitry Podgorny Date: Thu, 9 Apr 2020 15:22:11 +0300 Subject: Fix use-after-free in stanza_create_caps_from_query_element() The function creates a form to find such strings as software, os, etc. It remembers the strings allocated by form_create() and use them below in caps_create(). The issue is that the form is destroyed before and as result the strings are freed too. As solution, allocate own copy of strings. --- src/xmpp/stanza.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/xmpp/stanza.c b/src/xmpp/stanza.c index 8791100b..56185843 100644 --- a/src/xmpp/stanza.c +++ b/src/xmpp/stanza.c @@ -1784,13 +1784,13 @@ stanza_create_caps_from_query_element(xmpp_stanza_t *query) formField = field->data; if (formField->values) { if (strcmp(formField->var, "software") == 0) { - software = formField->values->data; + software = strdup(formField->values->data); } else if (strcmp(formField->var, "software_version") == 0) { - software_version = formField->values->data; + software_version = strdup(formField->values->data); } else if (strcmp(formField->var, "os") == 0) { - os = formField->values->data; + os = strdup(formField->values->data); } else if (strcmp(formField->var, "os_version") == 0) { - os_version = formField->values->data; + os_version = strdup(formField->values->data); } } field = g_slist_next(field); @@ -1872,6 +1872,10 @@ stanza_create_caps_from_query_element(xmpp_stanza_t *query) EntityCapabilities *result = caps_create(category, type, name, software, software_version, os, os_version, features); g_slist_free_full(features, free); + free(software); + free(software_version); + free(os); + free(os_version); return result; } -- cgit 1.4.1-2-gfad0