From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 11335 invoked from network); 12 Apr 2021 07:12:47 -0000 Received: from 1ess.inri.net (216.126.196.35) by inbox.vuxu.org with ESMTPUTF8; 12 Apr 2021 07:12:47 -0000 Received: from mimir.eigenstate.org ([206.124.132.107]) by 1ess; Sun Apr 11 22:59:48 -0400 2021 Received: from abbatoir.fios-router.home (pool-108-41-92-79.nycmny.fios.verizon.net [108.41.92.79]) by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id a9380000 (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO) for <9front@9front.org>; Sun, 11 Apr 2021 19:59:36 -0700 (PDT) Message-ID: <97FDE9A5306132622D1D4F91D0453FA9@eigenstate.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit To: 9front@9front.org CC: 9front@9front.org Date: Sun, 11 Apr 2021 19:59:35 -0700 From: ori@eigenstate.org In-Reply-To: <9F7C695CA1C76DA9023BE33F535E8C8F@9lab.org> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: open-source responsive CMS software Subject: Re: [9front] upas/Mail: fix multiple suicides (use after free, double free) in mbox.c (patch) Reply-To: 9front@9front.org Precedence: bulk Quoth igor@9lab.org: > Below is a patch (inline) that fixes two variants of a suicide (use > after free, double free) in Mail/mbox.c on latest 9front 'Mit > Fruchtgeschmack' (explanation with reproducible test instructions > below) when messages are deleted/moved in bulk: > > > diff -r 4dfbef4fa4ac sys/src/cmd/upas/Mail/mbox.c > --- a/sys/src/cmd/upas/Mail/mbox.c Sat Apr 03 19:32:47 2021 +0200 > +++ b/sys/src/cmd/upas/Mail/mbox.c Fri Apr 09 02:54:10 2021 +0200 > @@ -675,10 +675,11 @@ > static void > mbflush(char **, int) > { > - int i, j, ln, fd; > + int i, j, ln, fd, nmesg; > char *path; > Mesg *m, *p; > > + nmesg = mbox.nmesg; > path = estrjoin(maildir, "/ctl", nil); > fd = open(path, OWRITE); > free(path); > @@ -708,11 +709,13 @@ > mbredraw(m->child[j], 1, 1); > } > > - for(i = 0, j = 0; i < mbox.nmesg; i++){ > + for(i = 0, j = 0; i < nmesg; i++){ > m = mbox.mesg[i]; > - if((m->state & Szap) != 0) > + if((m->state & Szap) != 0){ > mesgfree(m); > - else > + mbox.mesg[i] = nil; > + mbox.nmesg--; > + }else > mbox.mesg[j++] = m; > } I think I prefer this patch: diff -r 503c5ef2d2b5 sys/src/cmd/upas/Mail/mbox.c --- a/sys/src/cmd/upas/Mail/mbox.c Sun Apr 11 20:20:41 2021 +0200 +++ b/sys/src/cmd/upas/Mail/mbox.c Sun Apr 11 19:58:55 2021 -0700 @@ -715,6 +715,7 @@ else mbox.mesg[j++] = m; } + mbox.nmesg = j; close(fd); fprint(mbox.ctl, "clean\n");