From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp55.i.mail.ru (smtp55.i.mail.ru [217.69.128.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id B8205469710 for ; Mon, 18 May 2020 14:44:11 +0300 (MSK) From: Alexander Turenko Date: Mon, 18 May 2020 14:42:57 +0300 Message-Id: <20510af779a64e57b1f31ccc9245f9a0e9710cf2.1589799677.git.alexander.turenko@tarantool.org> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [Tarantool-patches] [PATCH 1/2] popen: fix access to freed memory after :close() List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Vladislav Shpilevoy , "Alexander V . Tikhonov" Cc: tarantool-patches@dev.tarantool.org, Alexander Turenko popen_delete() always frees a handle memory even when it reports a failure to send SIGKILL, see [1]. We should reflect this contract in popen_handle:close() and mark the handle as closed despite popen_delete() return value. There are cases, when killpg() fails with EPERM on Mac OS, so popen_delete() reports a failure. See [1] for more information. [1]: 01657bfbb9b34997f20d27405226a9affdeeb520 ('popen: always free resources in popen_delete()') Fixes #4995 --- src/lua/popen.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lua/popen.c b/src/lua/popen.c index 0e930e91b..471964ee6 100644 --- a/src/lua/popen.c +++ b/src/lua/popen.c @@ -2258,11 +2258,11 @@ lbox_popen_close(struct lua_State *L) return 1; } + luaT_mark_popen_handle_closed(L, 1); + if (popen_delete(handle) != 0) return luaT_push_nil_and_error(L); - luaT_mark_popen_handle_closed(L, 1); - lua_pushboolean(L, true); return 1; } -- 2.25.0