Fix: Read from pointer after free

Also, a fd leak is fixed in an error path in the same thread.

Issue 1019889 of coverity scan.

Signed-off-by: David Goulet <dgoulet@efficios.com>

diff --git a/src/bin/lttng-sessiond/main.c b/src/bin/lttng-sessiond/main.c
index efaaf4ffa99f40c5cc0dac877e796a7eda86e5ea..6f9834425192c3ca4b1f9f0e184071eb87f68b87 100644 (file)
--- a/src/bin/lttng-sessiond/main.c
+++ b/src/bin/lttng-sessiond/main.c
@@ -1380,6 +1380,11 @@ static void *thread_dispatch_ust_registration(void *data)
                                wait_node = zmalloc(sizeof(*wait_node));
                                if (!wait_node) {
                                        PERROR("zmalloc wait_node dispatch");
+                                       ret = close(ust_cmd->sock);
+                                       if (ret < 0) {
+                                               PERROR("close ust sock dispatch %d", ust_cmd->sock);
+                                       }
+                                       lttng_fd_put(1, LTTNG_FD_APPS);
                                        free(ust_cmd);
                                        goto error;
                                }
@@ -1427,6 +1432,19 @@ static void *thread_dispatch_ust_registration(void *data)
                                                break;
                                        }
                                }
+
+                               /*
+                                * With no application at this stage the received socket is
+                                * basically useless so close it before we free the cmd data
+                                * structure for good.
+                                */
+                               if (!app) {
+                                       ret = close(ust_cmd->sock);
+                                       if (ret < 0) {
+                                               PERROR("close ust sock dispatch %d", ust_cmd->sock);
+                                       }
+                                       lttng_fd_put(1, LTTNG_FD_APPS);
+                               }
                                free(ust_cmd);
                        }
 
@@ -1488,13 +1506,6 @@ static void *thread_dispatch_ust_registration(void *data)
 
                                rcu_read_unlock();
                                session_unlock_list();
-                       } else {
-                               /* Application manager threads are not available. */
-                               ret = close(ust_cmd->sock);
-                               if (ret < 0) {
-                                       PERROR("close ust_cmd sock");
-                               }
-                               lttng_fd_put(1, LTTNG_FD_APPS);
                        }
                } while (node != NULL);