Use after talloc_free...

Rusty Russell rusty at rustcorp.com.au
Wed Nov 11 01:10:14 MST 2009


Two recent CTDB fixes (1cbf06a126621 and eda052101728cf) both fixed obvious
use-after-free bugs[1].  This has convinced me that something like SAFE_FREE
would be nice in talloc.

Since I hate SHOUTING, my proposal is a "talloc_free_var(&ptr)" which
frees and changes ptr, and is a first-class talloc function.

I even have an implementation.  Yes, it's kinda tricky:

#define talloc_free_var(varp)						\
	do {								\
		talloc_free(&**(varp));					\
		*(varp) = ((void *)((long)__LINE__ % getpagesize()));	\
	} while(0)

1) Accidentally using "talloc_free_var(ptr)" won't compile.
2) The result is still a non-NULL ptr, but an invalid one which gives a clue
   as to where it was freed.

Thoughts?
Rusty.

[1] Neither actually indicated when they were introduced, nor cc'd the
    culprit.  I have[2].
[2] But Ronnie needs to use git-am so From get accredited correctly!



More information about the samba-technical mailing list