From b2645747b7b4698ef93beb81a00ba5daaa0b1406 Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Fri, 22 Mar 2019 17:23:49 +0100
Subject: nspawn-oci: fix double free

Also rename function to make it clear that it also frees the array
object itself.
---
 src/nspawn/nspawn-settings.c                                         | 5 ++---
 src/nspawn/nspawn-settings.h                                         | 2 +-
 src/nspawn/nspawn.c                                                  | 4 ++--
 .../fuzz-nspawn-oci/crash-bffbd2085d4e95c47e9749b3f4a2dbc0580c20d3   | 5 +++++
 4 files changed, 10 insertions(+), 6 deletions(-)
 create mode 100644 test/fuzz/fuzz-nspawn-oci/crash-bffbd2085d4e95c47e9749b3f4a2dbc0580c20d3

diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c
index ab69f24c54e..476cb0779e7 100644
--- a/src/nspawn/nspawn-settings.c
+++ b/src/nspawn/nspawn-settings.c
@@ -110,7 +110,7 @@ static void free_oci_hooks(OciHook *h, size_t n) {
         free(h);
 }
 
-void device_node_free_many(DeviceNode *node, size_t n) {
+void device_node_array_free(DeviceNode *node, size_t n) {
         size_t i;
 
         for (i = 0; i < n; i++)
@@ -156,8 +156,7 @@ Settings* settings_free(Settings *s) {
         sd_bus_message_unref(s->properties);
 
         free(s->supplementary_gids);
-        device_node_free_many(s->extra_nodes, s->n_extra_nodes);
-        free(s->extra_nodes);
+        device_node_array_free(s->extra_nodes, s->n_extra_nodes);
         free(s->network_namespace_path);
 
         strv_free(s->sysctl);
diff --git a/src/nspawn/nspawn-settings.h b/src/nspawn/nspawn-settings.h
index cc802f77afa..231082706d4 100644
--- a/src/nspawn/nspawn-settings.h
+++ b/src/nspawn/nspawn-settings.h
@@ -254,4 +254,4 @@ TimezoneMode timezone_mode_from_string(const char *s) _pure_;
 
 int parse_link_journal(const char *s, LinkJournal *ret_mode, bool *ret_try);
 
-void device_node_free_many(DeviceNode *node, size_t n);
+void device_node_array_free(DeviceNode *node, size_t n);
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index f3842f70c65..8e6780d54bc 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3958,7 +3958,7 @@ static int merge_settings(Settings *settings, const char *path) {
         arg_console_width = settings->console_width;
         arg_console_height = settings->console_height;
 
-        device_node_free_many(arg_extra_nodes, arg_n_extra_nodes);
+        device_node_array_free(arg_extra_nodes, arg_n_extra_nodes);
         arg_extra_nodes = TAKE_PTR(settings->extra_nodes);
         arg_n_extra_nodes = settings->n_extra_nodes;
 
@@ -5070,7 +5070,7 @@ finish:
         custom_mount_free_all(arg_custom_mounts, arg_n_custom_mounts);
         expose_port_free_all(arg_expose_ports);
         rlimit_free_all(arg_rlimit);
-        device_node_free_many(arg_extra_nodes, arg_n_extra_nodes);
+        device_node_array_free(arg_extra_nodes, arg_n_extra_nodes);
 
         if (r < 0)
                 return r;
diff --git a/test/fuzz/fuzz-nspawn-oci/crash-bffbd2085d4e95c47e9749b3f4a2dbc0580c20d3 b/test/fuzz/fuzz-nspawn-oci/crash-bffbd2085d4e95c47e9749b3f4a2dbc0580c20d3
new file mode 100644
index 00000000000..22e42d3bad2
--- /dev/null
+++ b/test/fuzz/fuzz-nspawn-oci/crash-bffbd2085d4e95c47e9749b3f4a2dbc0580c20d3
@@ -0,0 +1,5 @@
+{"ociVersion": "1.0.0",
+"linux": {"devices": [     {  "access": "mmmw;r"}
+] }, "e": "}e"
+  }
+ 
\ No newline at end of file
-- 
cgit v1.2.3-59-g8ed1b