Commit ab66a56a by Matthieu Boutier Committed by Juliusz Chroboczek

Fix route->channels double-free corruption.

The code assumes that route->channels is NULL when route->channels_len
is 0, such that free(route->channels) will work.

Think about this scenario:
  update(r, some channels)  # route->channels = malloc(…)
  update(r, no channel)  # free(route->channels)
  update(r, no channel)  # free(route->channels)

Thanks to Dave Taht for pointing the issue.
1 parent e687a58f
Showing 1 changed file with 1 additions and 0 deletions
......@@ -918,6 +918,7 @@ update_route(const unsigned char *id,
if(channels_len == 0) {
free(route->channels);
route->channels = NULL;
route->channels_len = 0;
} else {
if(channels_len != route->channels_len) {
......
Styling with Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!