From 1d90e06436151ae9ce4c958227570ae499137b3a Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sat, 3 Jun 2017 20:28:13 +0200 Subject: [PATCH] conf: avoid double-frees in userns_exec_1() Signed-off-by: Christian Brauner --- src/lxc/conf.c | 42 +++++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 208c5ca0d..f5357d51b 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -4837,17 +4837,16 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data) goto on_error; } + host_uid_map = container_root_uid; + host_gid_map = container_root_gid; + /* Check whether the {g,u}id of the user has a mapping. */ euid = geteuid(); egid = getegid(); - if (euid == container_root_uid->hostid) - host_uid_map = container_root_uid; - else + if (euid != container_root_uid->hostid) host_uid_map = idmap_add(conf, euid, ID_TYPE_UID); - if (egid == container_root_gid->hostid) - host_gid_map = container_root_gid; - else + if (egid != container_root_gid->hostid) host_gid_map = idmap_add(conf, egid, ID_TYPE_GID); if (!host_uid_map) { @@ -4873,7 +4872,7 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data) lxc_list_add_elem(tmplist, container_root_uid); lxc_list_add_tail(idmap, tmplist); - if (host_uid_map != container_root_uid) { + if (host_uid_map && (host_uid_map != container_root_uid)) { /* idmap will now keep track of that memory. */ container_root_uid = NULL; @@ -4883,9 +4882,11 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data) goto on_error; lxc_list_add_elem(tmplist, host_uid_map); lxc_list_add_tail(idmap, tmplist); - /* idmap will now keep track of that memory. */ - host_uid_map = NULL; } + /* idmap will now keep track of that memory. */ + container_root_uid = NULL; + /* idmap will now keep track of that memory. */ + host_uid_map = NULL; tmplist = malloc(sizeof(*tmplist)); if (!tmplist) @@ -4893,7 +4894,7 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data) lxc_list_add_elem(tmplist, container_root_gid); lxc_list_add_tail(idmap, tmplist); - if (host_gid_map != container_root_gid) { + if (host_gid_map && (host_gid_map != container_root_gid)) { /* idmap will now keep track of that memory. */ container_root_gid = NULL; @@ -4902,9 +4903,11 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data) goto on_error; lxc_list_add_elem(tmplist, host_gid_map); lxc_list_add_tail(idmap, tmplist); - /* idmap will now keep track of that memory. */ - host_gid_map = NULL; } + /* idmap will now keep track of that memory. */ + container_root_gid = NULL; + /* idmap will now keep track of that memory. */ + host_gid_map = NULL; if (lxc_log_get_level() == LXC_LOG_PRIORITY_TRACE || conf->loglevel == LXC_LOG_PRIORITY_TRACE) { @@ -4937,11 +4940,16 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data) ret = wait_for_pid(pid); on_error: - lxc_free_idmap(idmap); - free(container_root_uid); - free(container_root_gid); - free(host_uid_map); - free(host_gid_map); + if (idmap) + lxc_free_idmap(idmap); + if (container_root_uid) + free(container_root_uid); + if (container_root_gid) + free(container_root_gid); + if (host_uid_map && (host_uid_map != container_root_uid)) + free(host_uid_map); + if (host_gid_map && (host_gid_map != container_root_gid)) + free(host_gid_map); if (p[0] != -1) close(p[0]); -- 2.39.5