diff options
author | Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> | 2008-10-29 13:34:35 +0000 |
---|---|---|
committer | Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> | 2008-10-29 13:34:35 +0000 |
commit | ea7af1aad7288e6bd9b146f895b260eadd904ea8 (patch) | |
tree | 29ca4761fc5d3547f8dc1bf35062ce7a98d7a7de /ldso/libdl | |
parent | 8723f09bca2b238cdef3a7d32c3dd02e2fdf834e (diff) |
- fix use after free (Kevin Day)
dl_cleanup will call do_dlclose with the handle.
Inside of do_dlclose, the handle will ultimately get free'd.
Diffstat (limited to 'ldso/libdl')
-rw-r--r-- | ldso/libdl/libdl.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/ldso/libdl/libdl.c b/ldso/libdl/libdl.c index 10ccab68c..f914cf3be 100644 --- a/ldso/libdl/libdl.c +++ b/ldso/libdl/libdl.c @@ -146,9 +146,11 @@ static const char *dl_error_names[] = { void dl_cleanup(void) __attribute__ ((destructor)); void dl_cleanup(void) { - struct dyn_elf *d; - for (d = _dl_handles; d; d = d->next_handle) { - do_dlclose(d, 1); + struct dyn_elf *h, *n; + + for (h = _dl_handles; h; h = n) { + n = h->next_handle; + do_dlclose(h, 1); } } |