aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2017-01-12 15:04:11 +0000
committerVsevolod Stakhov <vsevolod@highsecure.ru>2017-01-12 15:04:11 +0000
commit6d02b7efe530b2e11ea5c968218360d66a5e1817 (patch)
treefd4741c56008847206de38d1896e41c588de83ae
parent8da4c8b1df36395074ca81963f4ae5cd209fd1ca (diff)
downloadrspamd-6d02b7efe530b2e11ea5c968218360d66a5e1817.tar.gz
rspamd-6d02b7efe530b2e11ea5c968218360d66a5e1817.zip
[Fix] Fix possible memory corruption in redis pool
MFH: true
-rw-r--r--src/libserver/fuzzy_backend_redis.c4
-rw-r--r--src/libserver/redis_pool.c15
2 files changed, 12 insertions, 7 deletions
diff --git a/src/libserver/fuzzy_backend_redis.c b/src/libserver/fuzzy_backend_redis.c
index 3ecf732e2..0ab646131 100644
--- a/src/libserver/fuzzy_backend_redis.c
+++ b/src/libserver/fuzzy_backend_redis.c
@@ -1296,8 +1296,8 @@ rspamd_fuzzy_backend_update_redis (struct rspamd_fuzzy_backend *bk,
/* First of all check digest */
session->nargs = nargs;
- session->argv = g_malloc (sizeof (gchar *) * session->nargs);
- session->argv_lens = g_malloc (sizeof (gsize) * session->nargs);
+ session->argv = g_malloc0 (sizeof (gchar *) * session->nargs);
+ session->argv_lens = g_malloc0 (sizeof (gsize) * session->nargs);
up = rspamd_upstream_get (backend->write_servers,
RSPAMD_UPSTREAM_MASTER_SLAVE,
diff --git a/src/libserver/redis_pool.c b/src/libserver/redis_pool.c
index cf64c3efe..4e1a788ad 100644
--- a/src/libserver/redis_pool.c
+++ b/src/libserver/redis_pool.c
@@ -140,7 +140,10 @@ rspamd_redis_pool_conn_dtor (struct rspamd_redis_pool_connection *conn)
}
- g_list_free (conn->entry);
+ if (conn->entry) {
+ g_list_free (conn->entry);
+ }
+
g_slice_free1 (sizeof (*conn), conn);
}
@@ -344,16 +347,18 @@ rspamd_redis_pool_connect (struct rspamd_redis_pool *pool,
conn_entry = g_queue_pop_head_link (elt->inactive);
conn = conn_entry->data;
- if (event_get_base (&conn->timeout)) {
- event_del (&conn->timeout);
- }
-
if (conn->ctx->err == REDIS_OK) {
+ if (event_get_base (&conn->timeout)) {
+ event_del (&conn->timeout);
+ }
+
conn->active = TRUE;
g_queue_push_tail_link (elt->active, conn_entry);
msg_debug_rpool ("reused existing connection to %s:%d", ip, port);
}
else {
+ g_list_free (conn->entry);
+ conn->entry = NULL;
REF_RELEASE (conn);
conn = rspamd_redis_pool_new_connection (pool, elt,
db, password, ip, port);