From b0644e822cd10d93c1168f7b356068fabc02b2bf Mon Sep 17 00:00:00 2001 From: Markus Armbruster Date: Sat, 28 Jun 2008 09:15:49 -0400 Subject: [PATCH] Fix seqno mismatch and use-after-free in shp_sweep() The code wrote the swept sector after calling shp_check_one_mines(). This failed to use up the mine that hit the minesweeper, and triggered a seqno mismatch oops. The code wrote the minesweeper after calling shp_check_one_mines(). This used freed memory when the minesweeper got sunk there. Broken in 4.0.17. Fix by moving both calls before shp_check_one_mines(). --- src/lib/subs/shpsub.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib/subs/shpsub.c b/src/lib/subs/shpsub.c index 0240bec7..4bb1064f 100644 --- a/src/lib/subs/shpsub.c +++ b/src/lib/subs/shpsub.c @@ -215,13 +215,13 @@ shp_sweep(struct emp_qelem *ship_list, int verbose, int takemob, natid actor) } sect.sct_mines = mines; mlp->unit.ship.shp_item[I_SHELL] = shells; + putship(mlp->unit.ship.shp_uid, &mlp->unit.ship); + putsect(§); if (shp_check_one_mines(mlp)) { stopping = 1; emp_remque(qp); free(qp); } - putship(mlp->unit.ship.shp_uid, &mlp->unit.ship); - putsect(§); } if (changed) writemap(actor);