From b011199cf330b90483b312c57f25c90a31f2577b Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Tue, 10 Aug 2021 21:57:04 +0200
Subject: startup: Fix double-free on bogus startup_essential_task call

Returning an error will deallocate the RPC references.

Reported-by: Sergey Bugaev <bugaevc@gmail.com>
---
 startup/startup.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'startup/startup.c')

diff --git a/startup/startup.c b/startup/startup.c
index 90cdaa85..bc0ff73a 100644
--- a/startup/startup.c
+++ b/startup/startup.c
@@ -1465,10 +1465,6 @@ S_startup_essential_task (mach_port_t server,
   static int authinit, procinit, execinit, fsinit;
   int fail;
 
-  /* Always deallocate the extra reference this message carries.  */
-  if (MACH_PORT_VALID (credential))
-    mach_port_deallocate (mach_task_self (), credential);
-
   if (credential != host_priv)
     return EPERM;
 
@@ -1480,6 +1476,10 @@ S_startup_essential_task (mach_port_t server,
   if (fail)
     return fail;
 
+  /* Always deallocate the extra reference this message carries.  */
+  if (MACH_PORT_VALID (credential))
+    mach_port_deallocate (mach_task_self (), credential);
+
   if (!booted)
     {
       if (!strcmp (name, "auth"))
-- 
cgit v1.2.3