mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git
synced 2026-06-10 03:18:27 +02:00
core: fix use-after-free
'device' is freed by nm_ip6_manager_cancel_addrconf(). Plus if addrconf fails, the DHCP options should be ignored anyway. ==23089== Thread 1: ==23089== Invalid read of size 4 ==23089== at 0x4861E0: finish_addrconf (nm-ip6-manager.c:444) ==23089== by 0x39B904F7EA: g_timeout_dispatch (gmain.c:3882) ==23089== by 0x39B904EC54: g_main_context_dispatch (gmain.c:2539) ==23089== by 0x39B904EF87: g_main_context_iterate.isra.23 (gmain.c:3146) ==23089== by 0x39B904F381: g_main_loop_run (gmain.c:3340) ==23089== by 0x426188: main (main.c:614) ==23089== Address 0xcdb791c is 60 bytes inside a block of size 152 free'd ==23089== at 0x4A07786: free (vg_replace_malloc.c:446) ==23089== by 0x39B905499E: g_free (gmem.c:252) ==23089== by 0x39B90692FE: g_slice_free1 (gslice.c:1111) ==23089== by 0x39B903EC49: g_hash_table_remove_internal (ghash.c:1274) ==23089== by 0x4861DC: finish_addrconf (nm-ip6-manager.c:443) ==23089== by 0x39B904F7EA: g_timeout_dispatch (gmain.c:3882) ==23089== by 0x39B904EC54: g_main_context_dispatch (gmain.c:2539) ==23089== by 0x39B904EF87: g_main_context_iterate.isra.23 (gmain.c:3146) ==23089== by 0x39B904F381: g_main_loop_run (gmain.c:3340) ==23089== by 0x426188: main (main.c:614)
This commit is contained in:
Dan Williams
parent
e98d6430a8
commit
b711256a5c
1 changed files with 1 additions and 1 deletions
|
|
@ -442,7 +442,7 @@ finish_addrconf (gpointer user_data)
|
|||
|
||||
nm_ip6_manager_cancel_addrconf (manager, ifindex);
|
||||
g_signal_emit (manager, signals[ADDRCONF_COMPLETE], 0,
|
||||
ifindex, device->dhcp_opts, FALSE);
|
||||
ifindex, IP6_DHCP_OPT_NONE, FALSE);
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue