From 7e38347d995c401a375c8f6160566784465b7873 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 26 Feb 2014 15:14:14 +0100 Subject: [PATCH] stream-tcp: fix error handling in segment pool When TcpSegmentPoolInit fails (e.g. because of a too low memcap), it would free the segment. However, the segment memory is managed by the Pool API, which would also free the same memory location. This patch fixes that. Also, memset the structure before any checks are done, as the segment memory is passed to TcpSegmentPoolCleanup in case of error as well. Bug #1108 --- src/stream-tcp-reassemble.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c index 21fc982127..4c9baaba52 100644 --- a/src/stream-tcp-reassemble.c +++ b/src/stream-tcp-reassemble.c @@ -174,19 +174,19 @@ int TcpSegmentPoolInit(void *data, void *payload_len) TcpSegment *seg = (TcpSegment *) data; uint16_t size = *((uint16_t *) payload_len); + /* do this before the can bail, so TcpSegmentPoolCleanup + * won't have uninitialized memory to consider. */ + memset(seg, 0, sizeof (TcpSegment)); + if (StreamTcpReassembleCheckMemcap((uint32_t)size + (uint32_t)sizeof(TcpSegment)) == 0) { - SCFree(seg); return 0; } - memset(seg, 0, sizeof (TcpSegment)); - seg->pool_size = size; seg->payload_len = seg->pool_size; seg->payload = SCMalloc(seg->payload_len); if (seg->payload == NULL) { - SCFree(seg); return 0; }