zhanghailiang writes:
> The function monitor_fdset_dup_fd_find_remove() references member of
> 'mon_fdset'
> which may be freed in function monitor_fdset_cleanup()
>
> Signed-off-by: zhanghailiang <zhang.zhanghaili...@huawei.com>
> ---
> monitor.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/monitor.c b/monitor.c
> index 5bc70a6..41e46a6 100644
> --- a/monitor.c
> +++ b/monitor.c
> @@ -2532,8 +2532,10 @@ static int monitor_fdset_dup_fd_find_remove(int
> dup_fd, bool remove)
> {
> MonFdset *mon_fdset;
> MonFdsetFd *mon_fdset_fd_dup;
> + int64_t id = -1;
>
> QLIST_FOREACH(mon_fdset, &mon_fdsets, next) {
> + id = mon_fdset->id;
> QLIST_FOREACH(mon_fdset_fd_dup, &mon_fdset->dup_fds, next) {
> if (mon_fdset_fd_dup->fd == dup_fd) {
> if (remove) {
> @@ -2542,7 +2544,7 @@ static int monitor_fdset_dup_fd_find_remove(int dup_fd,
> bool remove)
> monitor_fdset_cleanup(mon_fdset);
> }
> }
> - return mon_fdset->id;
> + return id;
> }
> }
> }
If monitor_fdset_cleanup closes the FD won't you now be passing an
invalid fd to the calling function?
--
Alex Bennée
