From patchwork Thu Dec  5 06:58:04 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
X-Patchwork-Id: 3552093
From: mathieu.desnoyers at efficios.com (Mathieu Desnoyers)
Date: Thu,  5 Dec 2019 01:58:04 -0500
Subject: [lttng-dev] [PATCH babeltrace-1.5 1/6] Fix: lttng-live:
 use-after-free in get_next_index()
In-Reply-To: <20191205065809.16728-1-mathieu.desnoyers@efficios.com>
References: <20191205065809.16728-1-mathieu.desnoyers@efficios.com>
Message-ID: <20191205065809.16728-2-mathieu.desnoyers@efficios.com>

Running babeltrace under valgrind with a test-cases doing per-pid
lttng tracing in live mode triggers this use-after-free in
get_next_index() when stream is hung up.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
---
 formats/lttng-live/lttng-live-comm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/formats/lttng-live/lttng-live-comm.c b/formats/lttng-live/lttng-live-comm.c
index 33a78029..96817f5e 100644
--- a/formats/lttng-live/lttng-live-comm.c
+++ b/formats/lttng-live/lttng-live-comm.c
@@ -1108,8 +1108,8 @@ retry:
 		viewer_stream->in_trace = 0;
 		bt_list_del(&viewer_stream->trace_stream_node);
 		bt_list_del(&viewer_stream->session_stream_node);
-		g_free(viewer_stream);
 		*stream_id = be64toh(rp->stream_id);
+		g_free(viewer_stream);
 		break;
 	case LTTNG_VIEWER_INDEX_ERR:
 		fprintf(stderr, "[error] get_next_index: error\n");