From e5791f74f0bb3f52efa5429b5ae9425cbde46f97 Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Sat, 3 Aug 2013 13:09:02 +0400 Subject: [PATCH] crypto: fix another over-run in bio When doing `FreeEmpty`, `NodeBIO` skips pre-allocated `head_` buffer. However this might lead to double-freeing buffers since in `~NodeBIO()` we're starting deallocation from `head_` buffer. --- src/node_crypto_bio.cc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/node_crypto_bio.cc b/src/node_crypto_bio.cc index 6783184ed1..1f1eb3b1ea 100644 --- a/src/node_crypto_bio.cc +++ b/src/node_crypto_bio.cc @@ -232,9 +232,12 @@ void NodeBIO::FreeEmpty() { if (cur == write_head_ || cur == read_head_) return; + Buffer* prev = child; while (cur != read_head_) { - // Skip embedded buffer + // Skip embedded buffer, and continue deallocating again starting from it if (cur == &head_) { + prev->next_ = cur; + prev = cur; cur = head_.next_; continue; } @@ -242,11 +245,11 @@ void NodeBIO::FreeEmpty() { assert(cur->write_pos_ == cur->read_pos_); Buffer* next = cur->next_; - child->next_ = next; delete cur; - cur = next; } + assert(prev == child || prev == &head_); + prev->next_ = cur; }