fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2025-12-28 14:30:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

libnm-core: fix invalid memory access

Browse source 
When we delete the runner.name property, the runner object itself gets
deleted if that was the only property, and @runner becomes invalid.

 ==13818== Invalid read of size 1
 ==13818==    at 0x55EAF4: nm_streq (nm-macros-internal.h:869)
 ==13818==    by 0x55EAF4: _json_team_normalize_defaults (nm-utils.c:5573)
 ==13818==    by 0x566C89: _nm_utils_team_config_set (nm-utils.c:6057)
 ==13818==    by 0x5498A6: _nm_utils_json_append_gvalue (nm-utils-private.h:228)
 ==13818==    by 0x5498A6: set_property (nm-setting-team.c:1622)
 ==13818==  Address 0x182a9330 is 0 bytes inside a block of size 13 free'd
 ==13818==    at 0x4839A0C: free (vg_replace_malloc.c:530)
 ==13818==    by 0x4857868: json_delete_string (value.c:763)
 ==13818==    by 0x4857868: json_delete (value.c:975)
 ==13818==    by 0x4851FA1: UnknownInlinedFun (jansson.h:129)
 ==13818==    by 0x4851FA1: hashtable_do_del (hashtable.c:131)
 ==13818==    by 0x4851FA1: hashtable_del (hashtable.c:289)
 ==13818==    by 0x55DFDD: _json_del_object (nm-utils.c:5384)
 ==13818==    by 0x55EA70: _json_delete_object_on_string_match (nm-utils.c:5532)
 ==13818==    by 0x55EADB: _json_team_normalize_defaults (nm-utils.c:5549)
 ==13818==    by 0x566C89: _nm_utils_team_config_set (nm-utils.c:6057)
 ==13818==    by 0x5498A6: _nm_utils_json_append_gvalue (nm-utils-private.h:228)
 ==13818==    by 0x5498A6: set_property (nm-setting-team.c:1622)
 ==13818==  Block was alloc'd at
 ==13818==    at 0x483880B: malloc (vg_replace_malloc.c:299)
 ==13818==    by 0x4852E8C: lex_scan_string (load.c:389)
 ==13818==    by 0x4852E8C: lex_scan (load.c:620)
 ==13818==    by 0x4853458: parse_object (load.c:738)
 ==13818==    by 0x4853458: parse_value (load.c:862)
 ==13818==    by 0x4853466: parse_object (load.c:739)
 ==13818==    by 0x4853466: parse_value (load.c:862)
 ==13818==    by 0x4853655: parse_json.constprop.7 (load.c:899)
 ==13818==    by 0x48537CF: json_loads (load.c:959)
 ==13818==    by 0x566780: _nm_utils_team_config_set (nm-utils.c:5961)
 ==13818==    by 0x5498A6: _nm_utils_json_append_gvalue (nm-utils-private.h:228)
 ==13818==    by 0x5498A6: set_property (nm-setting-team.c:1622)

Fixes: a5642fd93a ('libnm-core: team: rework defaults management on runner properties')
(cherry picked from commit 80a3031a7c)
(cherry picked from commit 3fa39f6112)
This commit is contained in:
Beniamino Galvani 2019-04-08 18:20:39 +02:00
parent 8494b87d40
commit 76c283aed9
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
libnm-core/nm-utils.c
View file

@ -5368,6 +5368,7 @@ _json_team_normalize_defaults (json_t *json, gboolean reset)
{
json_t *json_element;
const char *runner = NM_SETTING_TEAM_RUNNER_DEFAULT;
gs_free char *runner_free = NULL;
int notify_peers_count = 0, notify_peers_interval = 0;
int mcast_rejoin_count = 0, mcast_rejoin_interval = 0;
int runner_tx_balancer_interval = -1;
@ -5376,7 +5377,8 @@ _json_team_normalize_defaults (json_t *json, gboolean reset)
json_element = _json_find_object (json, "runner", "name", NULL);
if (json_element) {
runner = json_string_value (json_element);
runner_free = g_strdup (json_string_value (json_element));
runner = runner_free;
_json_delete_object_on_string_match (json, "runner", "name", NULL,
NM_SETTING_TEAM_RUNNER_DEFAULT);
}