conf: avoid double-frees in userns_exec_1()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: avoid double-frees in userns_exec_1()
1d90e064 · Christian Brauner · b0ee5983 · 1d90e064
Unverified Commit 1d90e064 authored Jun 03, 2017 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 17 deletions

conf.c src/lxc/conf.c +25 -17

No files found.
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -4837,17 +4837,16 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
 		goto on_error;
 	}
+	host_uid_map = container_root_uid;
+	host_gid_map = container_root_gid;
 	/* Check whether the {g,u}id of the user has a mapping. */
 	euid = geteuid();
 	egid = getegid();
-	if (euid == container_root_uid->hostid)
+	if (euid != container_root_uid->hostid)
-		host_uid_map = container_root_uid;
-	else
 		host_uid_map = idmap_add(conf, euid, ID_TYPE_UID);
-	if (egid == container_root_gid->hostid)
+	if (egid != container_root_gid->hostid)
-		host_gid_map = container_root_gid;
-	else
 		host_gid_map = idmap_add(conf, egid, ID_TYPE_GID);
 	if (!host_uid_map) {
@@ -4873,7 +4872,7 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
 	lxc_list_add_elem(tmplist, container_root_uid);
 	lxc_list_add_tail(idmap, tmplist);
-	if (host_uid_map != container_root_uid) {
+	if (host_uid_map && (host_uid_map != container_root_uid)) {
 		/* idmap will now keep track of that memory. */
 		container_root_uid = NULL;
@@ -4883,9 +4882,11 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
 			goto on_error;
 		lxc_list_add_elem(tmplist, host_uid_map);
 		lxc_list_add_tail(idmap, tmplist);
-		/* idmap will now keep track of that memory. */
-		host_uid_map = NULL;
 	}
+	/* idmap will now keep track of that memory. */
+	container_root_uid = NULL;
+	/* idmap will now keep track of that memory. */
+	host_uid_map = NULL;
 	tmplist = malloc(sizeof(*tmplist));
 	if (!tmplist)
@@ -4893,7 +4894,7 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
 	lxc_list_add_elem(tmplist, container_root_gid);
 	lxc_list_add_tail(idmap, tmplist);
-	if (host_gid_map != container_root_gid) {
+	if (host_gid_map && (host_gid_map != container_root_gid)) {
 		/* idmap will now keep track of that memory. */
 		container_root_gid = NULL;
@@ -4902,9 +4903,11 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
 			goto on_error;
 		lxc_list_add_elem(tmplist, host_gid_map);
 		lxc_list_add_tail(idmap, tmplist);
-		/* idmap will now keep track of that memory. */
-		host_gid_map = NULL;
 	}
+	/* idmap will now keep track of that memory. */
+	container_root_gid = NULL;
+	/* idmap will now keep track of that memory. */
+	host_gid_map = NULL;
 	if (lxc_log_get_level() == LXC_LOG_PRIORITY_TRACE ||
 	    conf->loglevel == LXC_LOG_PRIORITY_TRACE) {
@@ -4937,11 +4940,16 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
 	ret = wait_for_pid(pid);
 on_error:
-	lxc_free_idmap(idmap);
+	if (idmap)
-	free(container_root_uid);
+		lxc_free_idmap(idmap);
-	free(container_root_gid);
+	if (container_root_uid)
-	free(host_uid_map);
+		free(container_root_uid);
-	free(host_gid_map);
+	if (container_root_gid)
+		free(container_root_gid);
+	if (host_uid_map && (host_uid_map != container_root_uid))
+		free(host_uid_map);
+	if (host_gid_map && (host_gid_map != container_root_gid))
+		free(host_gid_map);
 	if (p[0] != -1)
 		close(p[0]);