From d19068c9e349f8a219fad712c8af38bfda670f3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= Date: Wed, 2 Apr 2025 10:16:15 +0200 Subject: [PATCH] core: fix use after free in ping operations Detected by coverity, the ping_op pointers are used after being freed in cleanup_ping_operations. Although calling to g_list_remove is probably safe because it only needs the value of the pointer, not to dereference it, better to follow best practices. One of the use after free was actually an error because we dereference ping_op->log_domain. Fixes: 658aef0fa185 ('connection: Support connection.ip-ping-addresses') (cherry picked from commit ae7de5b353b8bdbfefd6a67c8fe53678cf78a60a) --- src/core/devices/nm-device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c index 5aabc4cb90..4c1cc4160b 100644 --- a/src/core/devices/nm-device.c +++ b/src/core/devices/nm-device.c @@ -15088,8 +15088,8 @@ respawn_ping_cb(gpointer user_data) nm_clear_g_source_inst(&ping_op->watch); if (!spawn_ping_for_operation(self, ping_op)) { - cleanup_ping_operation(ping_op); priv->ping_operations = g_list_remove(priv->ping_operations, ping_op); + cleanup_ping_operation(ping_op); if (g_list_length(priv->ping_operations) == 0) { ip_check_pre_up(self); @@ -15132,7 +15132,6 @@ ip_check_ping_watch_cb(GPid pid, int status, gpointer user_data) if (success) { if (ping_op->ping_addresses_require_all) { - cleanup_ping_operation(ping_op); priv->ping_operations = g_list_remove(priv->ping_operations, ping_op); if (g_list_length(priv->ping_operations) == 0) { _LOGD(ping_op->log_domain, @@ -15142,6 +15141,7 @@ ip_check_ping_watch_cb(GPid pid, int status, gpointer user_data) nm_clear_g_source_inst(&priv->ping_timeout); ip_check_pre_up(self); } + cleanup_ping_operation(ping_op); } else { nm_assert(priv->ping_operations);