From 9e2ec0b7a1452940aa328abc61389e2ee5a533ab Mon Sep 17 00:00:00 2001
From: Dan Williams <dcbw@redhat.com>
Date: Fri, 24 Sep 2010 18:25:45 -0500
Subject: [PATCH] system-settings: fix use-after-free causing crashes when
 hostname is empty

Should be returning NULL here since the actual hostname is returned in the
for() loop if the plugin supports hostnames.  But if the plugin for some
reason returns an empty string (which they aren't supposed to do) then
hostname would be left assigned to an already-freed value, which was then
returned to higher layers.

==12331== Invalid free() / delete / delete[]
==12331==    at 0x4024B3A: free (vg_replace_malloc.c:366)
==12331==    by 0x448BFC5: g_free (gmem.c:191)
==12331==    by 0x43E0E05: value_free_string (gvaluetypes.c:268)
==12331==    by 0x43DC587: g_value_unset (gvalue.c:276)
==12331==    by 0x80B297F: notify (nm-sysconfig-settings.c:229)
==12331==    by 0x43C64E7: g_cclosure_marshal_VOID__PARAM (gmarshal.c:531)
==12331==    by 0x43B78B8: g_type_class_meta_marshal (gclosure.c:878)
==12331==    by 0x43B9251: g_closure_invoke (gclosure.c:767)
==12331==    by 0x43CD239: signal_emit_unlocked_R (gsignal.c:3178)
==12331==    by 0x43CEDB3: g_signal_emit_valist (gsignal.c:2981)
==12331==    by 0x43CF255: g_signal_emit (gsignal.c:3038)
==12331==    by 0x43BD630: g_object_dispatch_properties_changed (gobject.c:801)
==12331==  Address 0x479f208 is 0 bytes inside a block of size 1 free'd
==12331==    at 0x4024B3A: free (vg_replace_malloc.c:366)
==12331==    by 0x448BFC5: g_free (gmem.c:191)
==12331==    by 0x80B1A08: nm_sysconfig_settings_get_hostname (nm-sysconfig-settings.c:280)
==12331==    by 0x80B27C7: get_property (nm-sysconfig-settings.c:1415)
==12331==    by 0x43BC707: g_object_get_property (gobject.c:935)
==12331==    by 0x80B288D: notify (nm-sysconfig-settings.c:225)
==12331==    by 0x43C64E7: g_cclosure_marshal_VOID__PARAM (gmarshal.c:531)
==12331==    by 0x43B78B8: g_type_class_meta_marshal (gclosure.c:878)
==12331==    by 0x43B9251: g_closure_invoke (gclosure.c:767)
==12331==    by 0x43CD239: signal_emit_unlocked_R (gsignal.c:3178)
==12331==    by 0x43CEDB3: g_signal_emit_valist (gsignal.c:2981)
==12331==    by 0x43CF255: g_signal_emit (gsignal.c:3038)
---
 src/system-settings/nm-sysconfig-settings.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/system-settings/nm-sysconfig-settings.c b/src/system-settings/nm-sysconfig-settings.c
index 7f6a640e72..616f8b1cf6 100644
--- a/src/system-settings/nm-sysconfig-settings.c
+++ b/src/system-settings/nm-sysconfig-settings.c
@@ -259,6 +259,7 @@ get_plugin (NMSysconfigSettings *self, guint32 capability)
 	return NULL;
 }
 
+/* Returns an allocated string which the caller owns and must eventually free */
 char *
 nm_sysconfig_settings_get_hostname (NMSysconfigSettings *self)
 {
@@ -281,7 +282,7 @@ nm_sysconfig_settings_get_hostname (NMSysconfigSettings *self)
 		}
 	}
 
-	return hostname;
+	return NULL;
 }
 
 static void