On Thu, Nov 21, 2019 at 3:24 PM John Crispin <john@xxxxxxxxxxx> wrote:
>
> On 21/11/2019 23:41, Brian Norris wrote:
> > Hit when, for instance, I'm stupid enough to type an invalid scan
> > command:
> >
> > # iw wlan0 scan -h
> > BUG at file position lib/msg.c:572:void nlmsg_free(struct nl_msg *)
> > iw: lib/msg.c:572: void nlmsg_free(struct nl_msg *): Assertion `0' failed.
> > Aborted (core dumped)
> >
> > Fixes: 2f74c59cf11e ("iw: fix memory leaks inside handle_scan")
> > Cc: John Crispin <john@xxxxxxxxxxx>
> wasn't me, nobody saw do anything
> try
> 367e7dd3 (Amit Khatri 2015-06-26 09:02:36 +0000 451)
> nlmsg_free(ssids);
> 367e7dd3 (Amit Khatri 2015-06-26 09:02:36 +0000 452)
> nlmsg_free(freqs);
> ???
I don't really care about "who", but it's nice to correctly note "what":
Your patch added 'goto nla_put_failure' in the DONE case (or
fallthrough from NONE), which introduced the double-free. Previously,
it was just a 'return', which meant we needed to do the cleanup in
'case DONE'.
For Amit's patch: note how there's a 'return', which makes his code
the only possible call to nlmsg_free() (i.e., no double-free).
Brian
