fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-05-01 12:38:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

connectivity: fix wrong memory access

Browse source 
Don't use message data after calling curl_multi_remove_handle(). Fixes
the following asan error:

=================================================================
==13238==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000091ad0 at pc 0x55750f8d9a10 bp 0x7ffeb7f5f210 sp 0x7ffeb7f5f200
READ of size 8 at 0x608000091ad0 thread T0
    #0 0x55750f8d9a0f in curl_check_connectivity (/usr/sbin/NetworkManager+0x190a0f)
    #1 0x55750f8da7dd in curl_socketevent_cb (/usr/sbin/NetworkManager+0x1917dd)
    #2 0x7f73cb64e8f8 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x4a8f8)
    #3 0x7f73cb64ec57  (/lib64/libglib-2.0.so.0+0x4ac57)
    #4 0x7f73cb64ef29 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x4af29)
    #5 0x55750f85c3f4  (/usr/sbin/NetworkManager+0x1133f4)
    #6 0x7f73c9f19384 in __libc_start_main (/lib64/libc.so.6+0x22384)
    #7 0x55750f85d7f7  (/usr/sbin/NetworkManager+0x1147f7)

0x608000091ad0 is located 48 bytes inside of 88-byte region [0x608000091aa0,0x608000091af8)
freed by thread T0 here:
    #0 0x7f73cd61f508 in __interceptor_free (/lib64/libasan.so.4+0xde508)
    #1 0x7f73ca710eaa in curl_multi_remove_handle (/lib64/libcurl.so.4+0x32eaa)

previously allocated by thread T0 here:
    #0 0x7f73cd61fa88 in __interceptor_calloc (/lib64/libasan.so.4+0xdea88)
    #1 0x7f73ca710b3d in curl_multi_add_handle (/lib64/libcurl.so.4+0x32b3d)

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/sbin/NetworkManager+0x190a0f)
This commit is contained in:
Beniamino Galvani 2018-02-09 11:33:39 +01:00
parent f548806213
commit 43960d4b15
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/nm-connectivity.c
View file

@ -137,6 +137,7 @@ curl_check_connectivity (CURLM *mhandle, CURLMcode ret)
ConCheckCbData *cb_data;
CURLMsg *msg;
CURLcode eret;
CURL *easy_handle;
gint m_left;
long response_code;
@ -182,8 +183,10 @@ curl_check_connectivity (CURLM *mhandle, CURLMcode ret)
finish_cb_data (cb_data, c);
}
curl_multi_remove_handle (mhandle, msg->easy_handle);
curl_easy_cleanup (msg->easy_handle);
/* Do not use message data after calling curl_multi_remove_handle() */
easy_handle = msg->easy_handle;
curl_multi_remove_handle (mhandle, easy_handle);
curl_easy_cleanup (easy_handle);
}
}