diff options
author | Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> | 2021-07-15 11:48:39 +0200 |
---|---|---|
committer | Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> | 2021-07-19 12:44:07 +0200 |
commit | ec9fccbe53b518e33ced8aea3f38be335d45ad18 (patch) | |
tree | 4b41116d6ef2f32a94959f47351c5e275b2a435d | |
parent | 4499235ad15816756d2b1ff3b9a6a026ec85a47e (diff) | |
download | neard-ec9fccbe53b518e33ced8aea3f38be335d45ad18.tar.gz |
snep: fix double free of GSList
g_slist_free_full() already frees entire GSList so calling it with
g_slist_free causes a double free and memory corruption.
This can be seen with Valgrind:
Invalid read of size 8
at 0x48E3980: g_slice_free_chain_with_offset (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x122075: snep_core_process_request (snep.c:481)
by 0x122075: near_snep_core_read (snep.c:620)
by 0x122CE4: test_snep_read_req_common (test-snep-read.c:348)
by 0x12457A: test_snep_read_get_req_frags_client_resp (test-snep-read.c:775)
by 0x48ECDCD: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ECBCA: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ED2B9: g_test_run_suite (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ED2D4: g_test_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x10F982: main (test-snep-read.c:960)
Address 0x501e198 is 8 bytes inside a block of size 16 free'd
at 0x483DA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x48E3971: g_slice_free_chain_with_offset (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x122068: snep_core_process_request (snep.c:479)
by 0x122068: near_snep_core_read (snep.c:620)
by 0x122CE4: test_snep_read_req_common (test-snep-read.c:348)
by 0x12457A: test_snep_read_get_req_frags_client_resp (test-snep-read.c:775)
by 0x48ECDCD: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ECBCA: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ED2B9: g_test_run_suite (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ED2D4: g_test_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x10F982: main (test-snep-read.c:960)
Block was alloc'd at
at 0x483C7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x48CA698: g_malloc (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48E2CF1: g_slice_alloc (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48E4407: g_slist_append (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x121AC7: snep_core_push_prepare_fragments (snep.c:377)
by 0x121AC7: near_snep_core_response (snep.c:695)
by 0x1224DB: near_snep_core_response_with_info (snep.c:779)
by 0x122E41: test_snep_dummy_req_get (test-snep-read.c:172)
by 0x121FF3: snep_core_process_request (snep.c:413)
by 0x121FF3: near_snep_core_read (snep.c:620)
by 0x122CE4: test_snep_read_req_common (test-snep-read.c:348)
by 0x124449: test_snep_read_get_req_frags_client_resp (test-snep-read.c:746)
by 0x48ECDCD: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ECBCA: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
Invalid free() / delete / delete[] / realloc()
at 0x483DA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x48E3971: g_slice_free_chain_with_offset (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x122075: snep_core_process_request (snep.c:481)
by 0x122075: near_snep_core_read (snep.c:620)
by 0x122CE4: test_snep_read_req_common (test-snep-read.c:348)
by 0x12457A: test_snep_read_get_req_frags_client_resp (test-snep-read.c:775)
by 0x48ECDCD: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ECBCA: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ED2B9: g_test_run_suite (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ED2D4: g_test_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x10F982: main (test-snep-read.c:960)
Address 0x501e190 is 0 bytes inside a block of size 16 free'd
at 0x483DA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x48E3971: g_slice_free_chain_with_offset (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x122068: snep_core_process_request (snep.c:479)
by 0x122068: near_snep_core_read (snep.c:620)
by 0x122CE4: test_snep_read_req_common (test-snep-read.c:348)
by 0x12457A: test_snep_read_get_req_frags_client_resp (test-snep-read.c:775)
by 0x48ECDCD: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ECBCA: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ED2B9: g_test_run_suite (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ED2D4: g_test_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x10F982: main (test-snep-read.c:960)
Block was alloc'd at
at 0x483C7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x48CA698: g_malloc (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48E2CF1: g_slice_alloc (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48E4407: g_slist_append (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x121AC7: snep_core_push_prepare_fragments (snep.c:377)
by 0x121AC7: near_snep_core_response (snep.c:695)
by 0x1224DB: near_snep_core_response_with_info (snep.c:779)
by 0x122E41: test_snep_dummy_req_get (test-snep-read.c:172)
by 0x121FF3: snep_core_process_request (snep.c:413)
by 0x121FF3: near_snep_core_read (snep.c:620)
by 0x122CE4: test_snep_read_req_common (test-snep-read.c:348)
by 0x124449: test_snep_read_get_req_frags_client_resp (test-snep-read.c:746)
by 0x48ECDCD: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
by 0x48ECBCA: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6600.1)
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
-rw-r--r-- | src/snep.c | 2 |
1 files changed, 0 insertions, 2 deletions
@@ -436,7 +436,6 @@ static bool snep_core_process_request(int client_fd, g_slist_free_full(snep_data->req->fragments, free_snep_core_fragment); - g_slist_free(snep_data->req->fragments); g_hash_table_remove(snep_client_hash, GINT_TO_POINTER(client_fd)); @@ -476,7 +475,6 @@ leave_cont: /* No more fragment to send, clean memory */ g_slist_free_full(snep_data->req->fragments, free_snep_core_fragment); - g_slist_free(snep_data->req->fragments); g_hash_table_remove(snep_client_hash, GINT_TO_POINTER(client_fd)); |