server_port_flush is awkward

RESOLVED INVALID

Status

()

--
critical
RESOLVED INVALID
8 years ago
4 months ago

People

(Reporter: timeless, Unassigned)

Tracking

(Blocks: 1 bug, {coverity, crash})

Trunk
coverity, crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse in Mozilla], URL)

(Reporter)

Description

8 years ago
1765 server_request_free(struct server_request *req)
1766 {
1795         if (rc == 0) {
1797                 free(req);
1798                 return (1);
1799         }
1800         free(req);
1801         return (0);
1802 }

server_request_free frees req unconditionally.

1181 server_port_flush(struct evdns_server_port *port)
1183         while (port->pending_replies) {
1184                 struct server_request *req = port->pending_replies;
1193                 if (server_request_free(req)) {
1194                         /* we released the last reference to req->port. */

afaict you released it whether or not it returned true, this seems like a bad idea.

1195                         return;
1196                 }
1197         }
This code is not used in Mozilla so closing INVALID (not our bug).

BenT: you imported this I think, please let some chromium folks know so they can decide if this is a problem for them or not before we un-hide the bug.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID
Whiteboard: [sg:nse in Mozilla]
Group: core-security
Blocks: 1230156
You need to log in before you can comment on or make changes to this bug.