From 9ce583b6cd6f55d473e5b54794fb06450997ebc8 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Tue, 25 Oct 2016 13:46:18 +0200
Subject: swrap: fix use-after-free in swrap_remove_stale()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 src/socket_wrapper.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/socket_wrapper.c b/src/socket_wrapper.c
index 1961549..40e2f04 100644
--- a/src/socket_wrapper.c
+++ b/src/socket_wrapper.c
@@ -1721,17 +1721,19 @@ static void swrap_remove_stale(int fd)
 {
 	struct socket_info_fd *fi = find_socket_info_fd(fd);
 	struct socket_info *si;
+	int si_index;
 
 	if (fi == NULL) {
 		return;
 	}
 
-	si = &sockets[fi->si_index];
+	si_index = fi->si_index;
 
 	SWRAP_LOG(SWRAP_LOG_TRACE, "remove stale wrapper for %d", fd);
 	SWRAP_DLIST_REMOVE(socket_fds, fi);
 	free(fi);
 
+	si = &sockets[fi->si_index];
 	si->refcount--;
 
 	if (si->refcount > 0) {
@@ -1743,7 +1745,7 @@ static void swrap_remove_stale(int fd)
 	}
 
 	si->next_free = first_free;
-	first_free = fi->si_index;
+	first_free = si_index;
 }
 
 static int sockaddr_convert_to_un(struct socket_info *si,
-- 
cgit