From a6c274296900d5f32aa530c9702cb03b629d82c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Sang?= <loic.sang@6wind.com>
Date: Wed, 11 Oct 2023 11:32:35 +0200
Subject: [PATCH] libtac: fix double free in tac_acct_read_timeout
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Core dumped due:
"free(): double free detected in tcache 2"

re->msg should be freed by the caller as in comment 6380c5a81ea6, else
it will create a dangling pointer.

Fixes: 6380c5a81ea6 ("Replace deprecated bcopy() by memcpy()")
Signed-off-by: Loïc Sang <loic.sang@6wind.com>
---
 libtac/lib/acct_r.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libtac/lib/acct_r.c b/libtac/lib/acct_r.c
index bd8b9bb5..a35e068e 100644
--- a/libtac/lib/acct_r.c
+++ b/libtac/lib/acct_r.c
@@ -139,8 +139,7 @@ int tac_acct_read_timeout(int fd, struct areply *re, unsigned long timeout)
         msg = (char *)xcalloc(1, tb->msg_len + 1);
         memcpy(msg, (unsigned char *)tb + TAC_ACCT_REPLY_FIXED_FIELDS_SIZE, tb->msg_len);
         msg[(int)tb->msg_len] = '\0';
-        re->msg = msg;
-        free(msg);
+        re->msg = msg; /* Freed by caller */
     }
 
     /* server logged our request successfully */