From a9bd91de478ab29fa7bac2093479a1ccee1bbd87 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Sun, 21 Feb 2016 17:54:38 +0200
Subject: Fix dereferencing of freed memory.

Improper dereferencing occurred when trying to access master
prog of a redirector.

* src/prog.h (prog) <r.comp>: New member.
* src/progman.c (destroy_prog) <TYPE_COMPONENT>: Clear master
pointers in both redirectors.
<TYPE_REDIRECTOR>: Check if master is NULL.
(register_redir): Initialize r.comp.
---
 src/prog.h    |  1 +
 src/progman.c | 20 ++++++++++++++------
 2 files changed, 15 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/prog.h b/src/prog.h
index 4e86596..3358885 100644
--- a/src/prog.h
+++ b/src/prog.h
@@ -71,6 +71,7 @@ struct prog
     struct
     {
       char *tag;
+      struct component *comp;
       struct prog *master;
     } r;
 
diff --git a/src/progman.c b/src/progman.c
index a6202f3..1a5bc90 100644
--- a/src/progman.c
+++ b/src/progman.c
@@ -175,16 +175,23 @@ destroy_prog (struct prog **pp)
       if (p->v.p.status == status_listener && p->v.p.socket != -1)
         deregister_socket (p->v.p.socket);
         /* FIXME: Remove also all dependent progs (esp. tcpmux) */
+      if (p->v.p.redir[RETR_OUT])
+	p->v.p.redir[RETR_OUT]->v.r.master = NULL;
+      if (p->v.p.redir[RETR_ERR])
+	p->v.p.redir[RETR_ERR]->v.r.master = NULL;
       break;
       
     case TYPE_REDIRECTOR:
       {
 	struct prog *master = p->v.r.master;
-	component_ref_decr (master->v.p.comp);
-	if (p == master->v.p.redir[0])
-	  master->v.p.redir[0] = NULL;
-	else if (p == master->v.p.redir[1])
-	  master->v.p.redir[1] = NULL;
+	component_ref_decr (p->v.r.comp);
+	if (master)
+	  {
+	    if (p == master->v.p.redir[0])
+	      master->v.p.redir[0] = NULL;
+	    else if (p == master->v.p.redir[1])
+	      master->v.p.redir[1] = NULL;
+	  }
 	/*	else
 		logmsg (LOG_NOTICE, _("orphan redirector: %s"), p->tag);*/
 	free (p->v.r.tag);
@@ -222,8 +229,9 @@ register_redir (int type, struct prog *master)
   pp->type = TYPE_REDIRECTOR;
   pp->v.r.tag = tag;
   pp->v.r.master = master;
+  pp->v.r.comp = master->v.p.comp;
+  component_ref_incr (pp->v.r.comp);
   link_prog (pp, NULL);
-  component_ref_incr (master->v.p.comp);
   return pp;
 }
 
-- 
cgit v1.2.1