[Fix] Fix possible memory corruption in redis pool

author Vsevolod Stakhov <vsevolod@highsecure.ru>

Thu, 12 Jan 2017 15:04:11 +0000 (15:04 +0000)

committer Vsevolod Stakhov <vsevolod@highsecure.ru>

Thu, 12 Jan 2017 15:04:11 +0000 (15:04 +0000)
author Vsevolod Stakhov <vsevolod@highsecure.ru>
Thu, 12 Jan 2017 15:04:11 +0000 (15:04 +0000)
committer Vsevolod Stakhov <vsevolod@highsecure.ru>
Thu, 12 Jan 2017 15:04:11 +0000 (15:04 +0000)
diff --git a/src/libserver/fuzzy_backend_redis.c b/src/libserver/fuzzy_backend_redis.c

index 3ecf732e273bc831a7861e2e62041e05cdd7ad5e..0ab6461314fd097b24114ce608a3e168707ad5fa 100644 (file)
--- a/src/libserver/fuzzy_backend_redis.c
+++ b/src/libserver/fuzzy_backend_redis.c
@@ -1296,8 +1296,8 @@ rspamd_fuzzy_backend_update_redis (struct rspamd_fuzzy_backend *bk,
  
         /* First of all check digest */
         session->nargs = nargs;
-       session->argv = g_malloc (sizeof (gchar *) * session->nargs);
-       session->argv_lens = g_malloc (sizeof (gsize) * session->nargs);
+       session->argv = g_malloc0 (sizeof (gchar *) * session->nargs);
+       session->argv_lens = g_malloc0 (sizeof (gsize) * session->nargs);
  
         up = rspamd_upstream_get (backend->write_servers,
                         RSPAMD_UPSTREAM_MASTER_SLAVE,
diff --git a/src/libserver/redis_pool.c b/src/libserver/redis_pool.c

index cf64c3efe1f18ea15c433aba63e20891fc3bdc54..4e1a788ad453f480b497d8e7005619a1095ff391 100644 (file)
--- a/src/libserver/redis_pool.c
+++ b/src/libserver/redis_pool.c
@@ -140,7 +140,10 @@ rspamd_redis_pool_conn_dtor (struct rspamd_redis_pool_connection *conn)
         }
  
  
-       g_list_free (conn->entry);
+       if (conn->entry) {
+               g_list_free (conn->entry);
+       }
+
         g_slice_free1 (sizeof (*conn), conn);
  }
  
@@ -344,16 +347,18 @@ rspamd_redis_pool_connect (struct rspamd_redis_pool *pool,
                         conn_entry = g_queue_pop_head_link (elt->inactive);
                         conn = conn_entry->data;
  
-                       if (event_get_base (&conn->timeout)) {
-                               event_del (&conn->timeout);
-                       }
-
                         if (conn->ctx->err == REDIS_OK) {
+                               if (event_get_base (&conn->timeout)) {
+                                       event_del (&conn->timeout);
+                               }
+
                                 conn->active = TRUE;
                                 g_queue_push_tail_link (elt->active, conn_entry);
                                 msg_debug_rpool ("reused existing connection to %s:%d", ip, port);
                         }
                         else {
+                               g_list_free (conn->entry);
+                               conn->entry = NULL;
                                 REF_RELEASE (conn);
                                 conn = rspamd_redis_pool_new_connection (pool, elt,
                                                 db, password, ip, port);
author	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Thu, 12 Jan 2017 15:04:11 +0000 (15:04 +0000)
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Thu, 12 Jan 2017 15:04:11 +0000 (15:04 +0000)
src/libserver/fuzzy_backend_redis.c		patch \| blob \| history
src/libserver/redis_pool.c		patch \| blob \| history