log: fix use-after-free in 47dfcb7

rustyrussell · rustyrussell · commit 531671cdf2b2 · 2014-10-27T16:35:05.000+10:30
Causes pettycoin to segv (generator logs).

Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
diff --git a/log.c b/log.c
@@ -145,7 +145,7 @@ static void add_entry(struct log *log, struct log_entry *l)
 
 static struct log_entry *new_log_entry(struct log *log, enum log_level level)
 {
-	struct log_entry *l = tal(log, struct log_entry);
+	struct log_entry *l = tal(log->lr, struct log_entry);
 
 	l->time = time_now();
 	l->level = level;
diff --git a/test/run-06-log.c b/test/run-06-log.c
@@ -122,9 +122,13 @@ int main(void)
 	wait(&status);
 	assert(WIFEXITED(status) && WEXITSTATUS(status) == 0);
 
+	/* Make sure log record survives freeing of log. */
+	tal_free(log);
+
 	/* This cleans us out! */
+	log = new_log(ctx, lr, "PREFIX2:");
 	log_debug(log, "Overflow!");
-	
+
 	/* Make child write log, be sure it's correct. */
 	pipe(fds);
 	switch (fork()) {
@@ -147,8 +151,8 @@ int main(void)
 	assert(tal_strreg(p, p,
 			  "([0-9]*) bytes, Sun Nov 10 06:27:35 2013\n"
 			  "\\.\\.\\. 4 skipped\\.\\.\\.\n"
-			  "\\+0.000000004 PREFIX:DEBUG: Overflow!\n"
-			  "\\+0.000000004 PREFIX:DEBUG: Log pruned 4 entries \\(mem ([0-9]*) -> ([0-9]*)\\)\n\n", &mem1, &mem2, &mem3));
+			  "\\+0.000000004 PREFIX2:DEBUG: Overflow!\n"
+			  "\\+0.000000004 PREFIX2:DEBUG: Log pruned 4 entries \\(mem ([0-9]*) -> ([0-9]*)\\)\n\n", &mem1, &mem2, &mem3));
 	assert(atoi(mem1) < maxmem);
 	assert(atoi(mem2) >= maxmem);
 	assert(atoi(mem3) < maxmem);

Original file line number	Diff line number	Diff line change
`@@ -145,7 +145,7 @@ static void add_entry(struct log log, struct log_entry l)`
`145`	`145`
`146`	`146`	`static struct log_entry new_log_entry(struct log log, enum log_level level)`
`147`	`147`	`{`
`148`		`- struct log_entry *l = tal(log, struct log_entry);`
	`148`	`+ struct log_entry *l = tal(log->lr, struct log_entry);`
`149`	`149`
`150`	`150`	`l->time = time_now();`
`151`	`151`	`l->level = level;`