[PATCH] Fix use-after-free in config_write_file

historical

---
 src/vty/command.c |   13 ++++++-------
 1 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/vty/command.c b/src/vty/command.c
index ab1eaca..b3595e5 100644
--- a/src/vty/command.c
+++ b/src/vty/command.c
@@ -2337,40 +2337,39 @@ DEFUN(config_write_file,
 			vty_out(vty,
 				"Can't unlink backup configuration file %s.%s",
 				config_file_sav, VTY_NEWLINE);
+			unlink(config_file_tmp);
 			talloc_free(config_file_sav);
 			talloc_free(config_file_tmp);
-			unlink(config_file_tmp);
 			return CMD_WARNING;
 		}
 	if (link(config_file, config_file_sav) != 0) {
 		vty_out(vty, "Can't backup old configuration file %s.%s",
 			config_file_sav, VTY_NEWLINE);
+		unlink(config_file_tmp);
 		talloc_free(config_file_sav);
 		talloc_free(config_file_tmp);
-		unlink(config_file_tmp);
 		return CMD_WARNING;
 	}
+	talloc_free(config_file_sav); /* we are done with config_file_sav by now */
 	sync();
+
 	if (unlink(config_file) != 0) {
 		vty_out(vty, "Can't unlink configuration file %s.%s",
 			config_file, VTY_NEWLINE);
-		talloc_free(config_file_sav);
-		talloc_free(config_file_tmp);
 		unlink(config_file_tmp);
+		talloc_free(config_file_tmp);
 		return CMD_WARNING;
 	}
 	if (link(config_file_tmp, config_file) != 0) {
 		vty_out(vty, "Can't save configuration file %s.%s", config_file,
 			VTY_NEWLINE);
-		talloc_free(config_file_sav);
-		talloc_free(config_file_tmp);
 		unlink(config_file_tmp);
+		talloc_free(config_file_tmp);
 		return CMD_WARNING;
 	}
 	unlink(config_file_tmp);
 	sync();
 
-	talloc_free(config_file_sav);
 	talloc_free(config_file_tmp);
 
 	if (chmod(config_file, 0666 & ~CONFIGFILE_MASK) != 0) {
-- 
1.7.5.4


--n8g4imXOkfNTN/H1--


