From ae7de5b353b8bdbfefd6a67c8fe53678cf78a60a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= Date: Wed, 2 Apr 2025 10:16:15 +0200 Subject: [PATCH] core: fix use after free in ping operations Detected by coverity, the ping_op pointers are used after being freed in cleanup_ping_operations. Although calling to g_list_remove is probably safe because it only needs the value of the pointer, not to dereference it, better to follow best practices. One of the use after free was actually an error because we dereference ping_op->log_domain. Fixes: 658aef0fa185 ('connection: Support connection.ip-ping-addresses') --- src/core/devices/nm-device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c index d86684944c..531db5fb72 100644 --- a/src/core/devices/nm-device.c +++ b/src/core/devices/nm-device.c @@ -15122,8 +15122,8 @@ respawn_ping_cb(gpointer user_data) nm_clear_g_source_inst(&ping_op->watch); if (!spawn_ping_for_operation(self, ping_op)) { - cleanup_ping_operation(ping_op); priv->ping_operations = g_list_remove(priv->ping_operations, ping_op); + cleanup_ping_operation(ping_op); if (g_list_length(priv->ping_operations) == 0) { ip_check_pre_up(self); @@ -15166,7 +15166,6 @@ ip_check_ping_watch_cb(GPid pid, int status, gpointer user_data) if (success) { if (ping_op->ping_addresses_require_all) { - cleanup_ping_operation(ping_op); priv->ping_operations = g_list_remove(priv->ping_operations, ping_op); if (g_list_length(priv->ping_operations) == 0) { _LOGD(ping_op->log_domain, @@ -15176,6 +15175,7 @@ ip_check_ping_watch_cb(GPid pid, int status, gpointer user_data) nm_clear_g_source_inst(&priv->ping_timeout); ip_check_pre_up(self); } + cleanup_ping_operation(ping_op); } else { nm_assert(priv->ping_operations);