libtac: fix double free in tac_acct_read_timeout

Core dumped due: "free(): double free detected in tcache 2" re->msg should be freed by the caller as in comment 6380c5a, else it will create a dangling pointer. Fixes: 6380c5a ("Replace deprecated bcopy() by memcpy()") Signed-off-by: Loïc Sang <[email protected]>
kravietz · Oct 11, 2023 · a6c2742 · a6c2742
1 parent 4284d90
commit a6c2742
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/libtac/lib/acct_r.c b/libtac/lib/acct_r.c
@@ -139,8 +139,7 @@ int tac_acct_read_timeout(int fd, struct areply *re, unsigned long timeout)
         msg = (char *)xcalloc(1, tb->msg_len + 1);
         memcpy(msg, (unsigned char *)tb + TAC_ACCT_REPLY_FIXED_FIELDS_SIZE, tb->msg_len);
         msg[(int)tb->msg_len] = '\0';
-        re->msg = msg;
-        free(msg);
+        re->msg = msg; /* Freed by caller */
     }
 
     /* server logged our request successfully */