|
 |
eb8e82 |
From 6cb247f13fb773baea64b5efaf08984b5368cc4a Mon Sep 17 00:00:00 2001
|
|
|
eb8e82 |
From: Debarshi Ray <rishi@gnu.org>
|
|
|
eb8e82 |
Date: Wed, 26 Apr 2017 19:54:42 +0200
|
|
|
eb8e82 |
Subject: [PATCH] jabber: Avoid a use-after-free in an error path
|
|
|
eb8e82 |
|
|
|
eb8e82 |
If jabber_buddy_find_resource returned NULL, 'resource' was being used
|
|
|
eb8e82 |
to print an error after it had already been freed. The easiest way to
|
|
|
eb8e82 |
prevent that is to consolidate all the local resource deallocation and
|
|
|
eb8e82 |
exit paths in one place.
|
|
|
eb8e82 |
|
|
|
eb8e82 |
Fixes #17200
|
|
|
eb8e82 |
---
|
|
|
eb8e82 |
libpurple/protocols/jabber/jingle/rtp.c | 21 ++++++++++++---------
|
|
|
eb8e82 |
1 file changed, 12 insertions(+), 9 deletions(-)
|
|
|
eb8e82 |
|
|
|
eb8e82 |
diff --git a/libpurple/protocols/jabber/jingle/rtp.c b/libpurple/protocols/jabber/jingle/rtp.c
|
|
|
eb8e82 |
index 57783abe413d..38d536c342ba 100644
|
|
|
eb8e82 |
--- a/libpurple/protocols/jabber/jingle/rtp.c
|
|
|
eb8e82 |
+++ b/libpurple/protocols/jabber/jingle/rtp.c
|
|
|
eb8e82 |
@@ -950,6 +950,7 @@ jingle_rtp_initiate_media(JabberStream *js, const gchar *who,
|
|
|
eb8e82 |
JingleTransport *transport;
|
|
|
eb8e82 |
JabberBuddy *jb;
|
|
|
eb8e82 |
JabberBuddyResource *jbr;
|
|
|
eb8e82 |
+ gboolean ret = FALSE;
|
|
|
eb8e82 |
const gchar *transport_type;
|
|
|
eb8e82 |
|
|
|
eb8e82 |
gchar *resource = NULL, *me = NULL, *sid = NULL;
|
|
|
eb8e82 |
@@ -958,16 +959,15 @@ jingle_rtp_initiate_media(JabberStream *js, const gchar *who,
|
|
|
eb8e82 |
jb = jabber_buddy_find(js, who, FALSE);
|
|
|
eb8e82 |
if (!jb) {
|
|
|
eb8e82 |
purple_debug_error("jingle-rtp", "Could not find Jabber buddy\n");
|
|
|
eb8e82 |
- return FALSE;
|
|
|
eb8e82 |
+ goto out;
|
|
|
eb8e82 |
}
|
|
|
eb8e82 |
|
|
|
eb8e82 |
resource = jabber_get_resource(who);
|
|
|
eb8e82 |
jbr = jabber_buddy_find_resource(jb, resource);
|
|
|
eb8e82 |
- g_free(resource);
|
|
|
eb8e82 |
|
|
|
eb8e82 |
if (!jbr) {
|
|
|
eb8e82 |
purple_debug_error("jingle-rtp", "Could not find buddy's resource - %s\n", resource);
|
|
|
eb8e82 |
- return FALSE;
|
|
|
eb8e82 |
+ goto out;
|
|
|
eb8e82 |
}
|
|
|
eb8e82 |
|
|
|
eb8e82 |
if (jabber_resource_has_capability(jbr, JINGLE_TRANSPORT_ICEUDP)) {
|
|
|
eb8e82 |
@@ -977,7 +977,7 @@ jingle_rtp_initiate_media(JabberStream *js, const gchar *who,
|
|
|
eb8e82 |
} else {
|
|
|
eb8e82 |
purple_debug_error("jingle-rtp", "Resource doesn't support "
|
|
|
eb8e82 |
"the same transport types\n");
|
|
|
eb8e82 |
- return FALSE;
|
|
|
eb8e82 |
+ goto out;
|
|
|
eb8e82 |
}
|
|
|
eb8e82 |
|
|
|
eb8e82 |
/* set ourselves as initiator */
|
|
|
eb8e82 |
@@ -985,7 +985,6 @@ jingle_rtp_initiate_media(JabberStream *js, const gchar *who,
|
|
|
eb8e82 |
|
|
|
eb8e82 |
sid = jabber_get_next_id(js);
|
|
|
eb8e82 |
session = jingle_session_create(js, sid, me, who, TRUE);
|
|
|
eb8e82 |
- g_free(sid);
|
|
|
eb8e82 |
|
|
|
eb8e82 |
|
|
|
eb8e82 |
if (type & PURPLE_MEDIA_AUDIO) {
|
|
|
eb8e82 |
@@ -1005,13 +1004,17 @@ jingle_rtp_initiate_media(JabberStream *js, const gchar *who,
|
|
|
eb8e82 |
jingle_rtp_init_media(content);
|
|
|
eb8e82 |
}
|
|
|
eb8e82 |
|
|
|
eb8e82 |
- g_free(me);
|
|
|
eb8e82 |
-
|
|
|
eb8e82 |
if (jingle_rtp_get_media(session) == NULL) {
|
|
|
eb8e82 |
- return FALSE;
|
|
|
eb8e82 |
+ goto out;
|
|
|
eb8e82 |
}
|
|
|
eb8e82 |
|
|
|
eb8e82 |
- return TRUE;
|
|
|
eb8e82 |
+ ret = TRUE;
|
|
|
eb8e82 |
+
|
|
|
eb8e82 |
+out:
|
|
|
eb8e82 |
+ g_free(me);
|
|
|
eb8e82 |
+ g_free(resource);
|
|
|
eb8e82 |
+ g_free(sid);
|
|
|
eb8e82 |
+ return ret;
|
|
|
eb8e82 |
}
|
|
|
eb8e82 |
|
|
|
eb8e82 |
void
|
|
|
eb8e82 |
--
|
|
|
eb8e82 |
2.9.3
|
|
|
eb8e82 |
|