From aa1c2a3c58f59790b6bf2d45908d0e731d68a6c9 Mon Sep 17 00:00:00 2001 From: Arnaud Giersch Date: Mon, 23 Sep 2013 21:39:56 +0200 Subject: [PATCH] Fix use after free (data is removed by the call to xbt_dict_remove()). --- src/smpi/smpi_bench.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/smpi/smpi_bench.c b/src/smpi/smpi_bench.c index 84a0bac483..6e0b4099a8 100644 --- a/src/smpi/smpi_bench.c +++ b/src/smpi/smpi_bench.c @@ -342,6 +342,13 @@ void smpi_sample_3(int global, const char *file, int line) } #ifndef WIN32 +static void smpi_shared_alloc_free(void *p) +{ + shared_data_t *data = p; + xbt_free(data->loc); + xbt_free(data); +} + void *smpi_shared_malloc(size_t size, const char *file, int line) { char *loc = bprintf("%zu_%s_%d", (size_t)getpid(), file, line); @@ -358,7 +365,7 @@ void *smpi_shared_malloc(size_t size, const char *file, int line) } } if (!allocs) { - allocs = xbt_dict_new_homogeneous(free); + allocs = xbt_dict_new_homogeneous(smpi_shared_alloc_free); } data = xbt_dict_get_or_null(allocs, loc); if(!data) { @@ -426,7 +433,6 @@ void smpi_shared_free(void *ptr) if (data->count <= 0) { close(data->fd); xbt_dict_remove(allocs, data->loc); - free(data->loc); XBT_DEBUG("Shared free - with removal - of %p", ptr); } }else{ -- 2.20.1