From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <notmuch-bounces@notmuchmail.org>
Received: from mp0 ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id 0iDsELsMdGHqkQAAgWs5BA
	(envelope-from <notmuch-bounces@notmuchmail.org>)
	for <larch@yhetil.org>; Sat, 23 Oct 2021 15:23:07 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id WMMZDLsMdGHAJQAA1q6Kng
	(envelope-from <notmuch-bounces@notmuchmail.org>)
	for <larch@yhetil.org>; Sat, 23 Oct 2021 13:23:07 +0000
Received: from mail.notmuchmail.org (nmbug.tethera.net [144.217.243.247])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id D44D81414A
	for <larch@yhetil.org>; Sat, 23 Oct 2021 15:23:06 +0200 (CEST)
Received: from nmbug.tethera.net (localhost [127.0.0.1])
	by mail.notmuchmail.org (Postfix) with ESMTP id 998EB2C1E8;
	Sat, 23 Oct 2021 09:22:57 -0400 (EDT)
Received: from fethera.tethera.net (fethera.tethera.net [IPv6:2607:5300:60:c5::1])
	by mail.notmuchmail.org (Postfix) with ESMTP id 1695F2C1B0
	for <notmuch@notmuchmail.org>; Sat, 23 Oct 2021 09:22:54 -0400 (EDT)
Received: by fethera.tethera.net (Postfix, from userid 1001)
	id 0EAEA5FC42; Sat, 23 Oct 2021 09:22:54 -0400 (EDT)
Received: (nullmailer pid 1864477 invoked by uid 1000);
	Sat, 23 Oct 2021 13:22:51 -0000
From: David Bremner <david@tethera.net>
To: notmuch@notmuchmail.org
Cc: David Bremner <david@tethera.net>
Subject: [PATCH 2/6] lib/open: fix potential double-free, ensure *database=NULL on error
Date: Sat, 23 Oct 2021 10:22:34 -0300
Message-Id: <20211023132238.1864400-3-david@tethera.net>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20211023132238.1864400-1-david@tethera.net>
References: <20211023132238.1864400-1-david@tethera.net>
MIME-Version: 1.0
Message-ID-Hash: 3NK5QN7VMXIRDLSFYHVR5LUV3NYXBVTH
X-Message-ID-Hash: 3NK5QN7VMXIRDLSFYHVR5LUV3NYXBVTH
X-MailFrom: bremner@tethera.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-notmuch.notmuchmail.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header
X-Mailman-Version: 3.2.1
Precedence: list
List-Id: "Use and development of the notmuch mail system." <notmuch.notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Subscribe: <mailto:notmuch-join@notmuchmail.org>
List-Unsubscribe: <mailto:notmuch-leave@notmuchmail.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1634995386;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=rWkjMsXjVPTvT4baXwJVWMSMfbPEoNPc7CYDCnKMMjI=;
	b=HKdD89aw+0RJbUYuclZ+Ofct5jaCIX+zTw9oXjlhrTX02lnGAa2di97BSF0R8++XLEptYc
	2Ekr6tNuHDvU7usR0jsQgkvbWiSeklPtd4quVI5rZZ9TY+H2ajrxzjYSuhH0gCXre7tlIA
	HXltv6eePIoWJq2TWDRaL9NNnDkFh8q1+HYn/l1f6cmbM7Rswn8D6Mn1qLKpHnBT/dIFHD
	ZeJ8CiFIBeaLtPbqLVvd4XhV1UPEBnbNGetm1eal+Y5ojCBfbA380CS7dvB5I/Dp5WH5Ue
	9jRcRnsti8VtMuu5NmVHbOfi9hMeeEuzZtI6TJl3csy4jeA+58GJEDSIk8dADw==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634995386; a=rsa-sha256; cv=none;
	b=FH7D0W/6cq8bhjQ/eSEEFc/i/1Zjr3PzsxBQk/o1F9LvFoIP0mLDjI/6tneVdY2x+qzPfU
	khZvTBTjhIFCgaPjLZXgzV+D9dPZDQHRiU9Zy4V8+782QTWkHvBQOuH1TMvxXknuSABdMg
	Ij4/l+sIyc+wKYt/9W30kKFyx5FvldBthTqWlQVag1KeYgakVRRAOetEv3H8/ngakHpKkQ
	pbENZWqKgB76SoHzLAZRXK7v+S9tYY1E3E+00g3RJMdReGV/KDM5Y+ARcdNtshMf06RIuc
	zmFKscgCYw7VesMEWN2U4dUfEUfbtOpFvAsSf+2uGkM0ZXA4PVh8jo0TCKrDkA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 144.217.243.247 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org
X-Migadu-Spam-Score: -1.15
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 144.217.243.247 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org
X-Migadu-Queue-Id: D44D81414A
X-Spam-Score: -1.15
X-Migadu-Scanner: scn1.migadu.com
X-TUID: zwteEniVupJM

During refactoring for 0.32, the code that set notmuch=NULL on various
errors was moved into _finish_open. This meant that the the code which
relied on that to set *database to NULL on error was no longer
correct. It also introduced a potential double free, since the notmuch
struct was deallocated inside _finish_open (via n_d_destroy).

In this commit we revert to "allocator frees", and leave any cleanup
to the caller of _finish_open. This allows us to get back the
behaviour of setting *database to NULL with a small change. Other
callers of _finish_open will need free notmuch on errors.
---
 lib/open.cc            | 13 +++++--------
 test/T590-libconfig.sh |  2 --
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/lib/open.cc b/lib/open.cc
index 8a835e98..77f01f72 100644
--- a/lib/open.cc
+++ b/lib/open.cc
@@ -396,8 +396,6 @@ _finish_open (notmuch_database_t *notmuch,
 				     "       has a newer database format version (%u) than supported by this\n"
 				     "       version of notmuch (%u).\n",
 				     database_path, version, NOTMUCH_DATABASE_VERSION));
-	    notmuch_database_destroy (notmuch);
-	    notmuch = NULL;
 	    status = NOTMUCH_STATUS_FILE_ERROR;
 	    goto DONE;
 	}
@@ -414,8 +412,6 @@ _finish_open (notmuch_database_t *notmuch,
 				     "       requires features (%s)\n"
 				     "       not supported by this version of notmuch.\n",
 				     database_path, incompat_features));
-	    notmuch_database_destroy (notmuch);
-	    notmuch = NULL;
 	    status = NOTMUCH_STATUS_FILE_ERROR;
 	    goto DONE;
 	}
@@ -489,8 +485,6 @@ _finish_open (notmuch_database_t *notmuch,
     } catch (const Xapian::Error &error) {
 	IGNORE_RESULT (asprintf (&message, "A Xapian exception occurred opening database: %s\n",
 				 error.get_msg ().c_str ()));
-	notmuch_database_destroy (notmuch);
-	notmuch = NULL;
 	status = NOTMUCH_STATUS_XAPIAN_EXCEPTION;
     }
   DONE:
@@ -559,10 +553,13 @@ notmuch_database_open_with_config (const char *database_path,
 	    free (message);
     }
 
+    if (status && notmuch) {
+	notmuch_database_destroy (notmuch);
+	notmuch = NULL;
+    }
+
     if (database)
 	*database = notmuch;
-    else
-	talloc_free (notmuch);
 
     if (notmuch)
 	notmuch->open = true;
diff --git a/test/T590-libconfig.sh b/test/T590-libconfig.sh
index ed12b005..a0d70080 100755
--- a/test/T590-libconfig.sh
+++ b/test/T590-libconfig.sh
@@ -862,7 +862,6 @@ cat <<EOF > c_tail3
 EOF
 
 test_begin_subtest "open: database set to null on missing config"
-test_subtest_known_broken
 cat c_head3 - c_tail3 <<'EOF' | test_C ${MAIL_DIR} "/nonexistent"
   notmuch_status_t st = notmuch_database_open_with_config(argv[1],
 							  NOTMUCH_DATABASE_MODE_READ_ONLY,
@@ -876,7 +875,6 @@ EOF
 test_expect_equal_file EXPECTED OUTPUT
 
 test_begin_subtest "open: database set to null on missing config (env)"
-test_subtest_known_broken
 old_NOTMUCH_CONFIG=${NOTMUCH_CONFIG}
 NOTMUCH_CONFIG="/nonexistent"
 cat c_head3 - c_tail3 <<'EOF' | test_C ${MAIL_DIR}
-- 
2.33.0