From 3d8b327c6056476a19b28325ba792d42ffd66f97 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 26 Aug 2021 10:07:50 -0600
Subject: [PATCH] Fix use-after-free on error. Also remove useless free of a
 ptr that is always NULL on the error path.

---
 src/exec_intercept.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/exec_intercept.c b/src/exec_intercept.c
index 1ebe5dbfe..9da36c151 100644
--- a/src/exec_intercept.c
+++ b/src/exec_intercept.c
@@ -241,7 +241,6 @@ update_command_info(char * const *old_command_info, const char *cmnd,
     debug_return_ptr(command_info);
 bad:
     free(command_info);
-    free(tmp_command);
     debug_return_ptr(NULL);
 }
 
@@ -408,12 +407,6 @@ intercept_check_policy(PolicyCheckRequest *req,
     ret = true;
 
 done:
-    if (!ISSET(closure->details->flags, CD_INTERCEPT)) {
-	free(tofree);
-	free(command_info);
-    }
-    free(argv);
-
     if (!ret) {
 	if (closure->errstr == NULL)
 	    closure->errstr = N_("policy plugin error");
@@ -421,6 +414,12 @@ done:
 	    command_info);
 	closure->state = POLICY_ERROR;
     }
+    if (!ISSET(closure->details->flags, CD_INTERCEPT)) {
+	free(tofree);
+	free(command_info);
+    }
+    free(argv);
+
     debug_return_bool(ret);
 }