From b711256a5c82bc9471059bdfa962055d9d84d974 Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Thu, 7 Mar 2013 17:18:49 -0600 Subject: [PATCH] core: fix use-after-free 'device' is freed by nm_ip6_manager_cancel_addrconf(). Plus if addrconf fails, the DHCP options should be ignored anyway. ==23089== Thread 1: ==23089== Invalid read of size 4 ==23089== at 0x4861E0: finish_addrconf (nm-ip6-manager.c:444) ==23089== by 0x39B904F7EA: g_timeout_dispatch (gmain.c:3882) ==23089== by 0x39B904EC54: g_main_context_dispatch (gmain.c:2539) ==23089== by 0x39B904EF87: g_main_context_iterate.isra.23 (gmain.c:3146) ==23089== by 0x39B904F381: g_main_loop_run (gmain.c:3340) ==23089== by 0x426188: main (main.c:614) ==23089== Address 0xcdb791c is 60 bytes inside a block of size 152 free'd ==23089== at 0x4A07786: free (vg_replace_malloc.c:446) ==23089== by 0x39B905499E: g_free (gmem.c:252) ==23089== by 0x39B90692FE: g_slice_free1 (gslice.c:1111) ==23089== by 0x39B903EC49: g_hash_table_remove_internal (ghash.c:1274) ==23089== by 0x4861DC: finish_addrconf (nm-ip6-manager.c:443) ==23089== by 0x39B904F7EA: g_timeout_dispatch (gmain.c:3882) ==23089== by 0x39B904EC54: g_main_context_dispatch (gmain.c:2539) ==23089== by 0x39B904EF87: g_main_context_iterate.isra.23 (gmain.c:3146) ==23089== by 0x39B904F381: g_main_loop_run (gmain.c:3340) ==23089== by 0x426188: main (main.c:614) --- src/ip6-manager/nm-ip6-manager.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ip6-manager/nm-ip6-manager.c b/src/ip6-manager/nm-ip6-manager.c index 784fc10bf3..0a1104b40c 100644 --- a/src/ip6-manager/nm-ip6-manager.c +++ b/src/ip6-manager/nm-ip6-manager.c @@ -442,7 +442,7 @@ finish_addrconf (gpointer user_data) nm_ip6_manager_cancel_addrconf (manager, ifindex); g_signal_emit (manager, signals[ADDRCONF_COMPLETE], 0, - ifindex, device->dhcp_opts, FALSE); + ifindex, IP6_DHCP_OPT_NONE, FALSE); } return FALSE;