| commit | 698b23186634e4c77b960806b70977c149383aab | |
| author | Dan Carpenter <dan.carpenter@oracle.com> | |
| Tue, 10 Oct 2017 12:55:15 +0000 (10 15:55 +0300) | ||
| committer | Dan Carpenter <dan.carpenter@oracle.com> | |
| Wed, 11 Oct 2017 10:35:55 +0000 (11 13:35 +0300) | ||
| tree | f2ab0c80917b952f35b7758a6ee0d3ab558ce1e2 | treesnapshot (tar.gz zip) |
| parent | e2be492e86a7c0a0927232d77b56657e31eedff5 | commitdiff |
param_used: fix use after free
There are a couple issues here. Inline functions weren't handled.
But the main tricky thing is that param_used is setting states basically
every time we look up a state. So at the end of the function, we would
free our list of states, then a different check would look up something
and we'd set some more states. The list is still hanging around but
Smatch would free the snames so when we went to insert some new states it
would get a use after free. The fix is to free the &used_stree at the
start of the function. And we have to be registered before smatch_extra.c
so that we free before we start setting states.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
There are a couple issues here. Inline functions weren't handled.
But the main tricky thing is that param_used is setting states basically
every time we look up a state. So at the end of the function, we would
free our list of states, then a different check would look up something
and we'd set some more states. The list is still hanging around but
Smatch would free the snames so when we went to insert some new states it
would get a use after free. The fix is to free the &used_stree at the
start of the function. And we have to be registered before smatch_extra.c
so that we free before we start setting states.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
| check_list.h | diffblobblamehistory | |
| smatch.h | diffblobblamehistory | |
| smatch_param_used.c | diffblobblamehistory |