diff options
author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2017-01-12 15:04:11 +0000 |
---|---|---|
committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2017-01-12 15:04:11 +0000 |
commit | 6d02b7efe530b2e11ea5c968218360d66a5e1817 (patch) | |
tree | fd4741c56008847206de38d1896e41c588de83ae | |
parent | 8da4c8b1df36395074ca81963f4ae5cd209fd1ca (diff) | |
download | rspamd-6d02b7efe530b2e11ea5c968218360d66a5e1817.tar.gz rspamd-6d02b7efe530b2e11ea5c968218360d66a5e1817.zip |
[Fix] Fix possible memory corruption in redis pool
MFH: true
-rw-r--r-- | src/libserver/fuzzy_backend_redis.c | 4 | ||||
-rw-r--r-- | src/libserver/redis_pool.c | 15 |
2 files changed, 12 insertions, 7 deletions
diff --git a/src/libserver/fuzzy_backend_redis.c b/src/libserver/fuzzy_backend_redis.c index 3ecf732e2..0ab646131 100644 --- a/src/libserver/fuzzy_backend_redis.c +++ b/src/libserver/fuzzy_backend_redis.c @@ -1296,8 +1296,8 @@ rspamd_fuzzy_backend_update_redis (struct rspamd_fuzzy_backend *bk, /* First of all check digest */ session->nargs = nargs; - session->argv = g_malloc (sizeof (gchar *) * session->nargs); - session->argv_lens = g_malloc (sizeof (gsize) * session->nargs); + session->argv = g_malloc0 (sizeof (gchar *) * session->nargs); + session->argv_lens = g_malloc0 (sizeof (gsize) * session->nargs); up = rspamd_upstream_get (backend->write_servers, RSPAMD_UPSTREAM_MASTER_SLAVE, diff --git a/src/libserver/redis_pool.c b/src/libserver/redis_pool.c index cf64c3efe..4e1a788ad 100644 --- a/src/libserver/redis_pool.c +++ b/src/libserver/redis_pool.c @@ -140,7 +140,10 @@ rspamd_redis_pool_conn_dtor (struct rspamd_redis_pool_connection *conn) } - g_list_free (conn->entry); + if (conn->entry) { + g_list_free (conn->entry); + } + g_slice_free1 (sizeof (*conn), conn); } @@ -344,16 +347,18 @@ rspamd_redis_pool_connect (struct rspamd_redis_pool *pool, conn_entry = g_queue_pop_head_link (elt->inactive); conn = conn_entry->data; - if (event_get_base (&conn->timeout)) { - event_del (&conn->timeout); - } - if (conn->ctx->err == REDIS_OK) { + if (event_get_base (&conn->timeout)) { + event_del (&conn->timeout); + } + conn->active = TRUE; g_queue_push_tail_link (elt->active, conn_entry); msg_debug_rpool ("reused existing connection to %s:%d", ip, port); } else { + g_list_free (conn->entry); + conn->entry = NULL; REF_RELEASE (conn); conn = rspamd_redis_pool_new_connection (pool, elt, db, password, ip, port); |