From 3e1f3df6183b2ed2cadf2af2383063891e2c53bd Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 15 Mar 2019 08:55:06 +0100 Subject: [PATCH] gpg: Fix recently introduced use after free. * g10/mainproc.c (proc_plaintext): Do not use freed memory. -- GnuPG-bug-id: 4407 Signed-off-by: Werner Koch --- g10/mainproc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/g10/mainproc.c b/g10/mainproc.c index 6fa30e0d4..7acf67b1e 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -946,9 +946,6 @@ proc_plaintext( CTX c, PACKET *pkt ) if (rc) log_error ("handle plaintext failed: %s\n", gpg_strerror (rc)); - free_packet (pkt, NULL); - c->last_was_session_key = 0; - /* We add a marker control packet instead of the plaintext packet. * This is so that we can later detect invalid packet sequences. * The apcket is further used to convey extra data from the @@ -974,6 +971,9 @@ proc_plaintext( CTX c, PACKET *pkt ) extrahash[extrahashlen++] = pt->timestamp ; } + free_packet (pkt, NULL); + c->last_was_session_key = 0; + n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, extrahash, extrahashlen)); xfree (extrahash);