mmjsonparse: avoid json double-free on add failure

Why: msgAddJSON may release the passed JSON object on some error paths. processJSON was unconditionally freeing the same pointer in finalize, which can double-free and crash rsyslog. Impact: Prevents a crash on msgAddJSON failure paths in find-json mode. Before/After: Before, processJSON could free json after msgAddJSON already freed it. After, processJSON does not touch json after handing it to msgAddJSON. Technical Overview: 1. Removed processJSON failure cleanup that called json_object_put(json). 2. Documented ownership semantics at the msgAddJSON call site. 3. Kept control flow and return behavior unchanged. With the help of AI-Agents: Codex
2026-06-19 16:22:57 +02:00 · 2026-05-24 16:35:45 +02:00 · 2026-05-24 16:35:45 +02:00 · a192fd7664
commit a192fd7664
parent 492c929298
1 changed files with 4 additions and 6 deletions
--- a/plugins/mmjsonparse/mmjsonparse.c
+++ b/plugins/mmjsonparse/mmjsonparse.c
@ -295,15 +295,13 @@ static rsRetVal processJSON(wrkrInstanceData_t *pWrkrData, smsg_t *pMsg, struct

    DBGPRINTF("mmjsonparse: processing already parsed JSON object\n");

-    /* JSON is already parsed and validated, just add it to the message */
+    /* JSON is already parsed and validated, just add it to the message.
+     * msgAddJSON assumes ownership of json and may release it on both
+     * success and error paths, so do not access json after this call.
+     */
    CHKiRet(msgAddJSON(pMsg, pWrkrData->pData->container, json, 0, 0));
-    /* Note: msgAddJSON takes ownership of the json object on success,
-     * but we need to clean up on failure */

 finalize_it:
-    if (iRet != RS_RET_OK && json != NULL) {
-        json_object_put(json);
-    }
    RETiRet;
 }