Search Linux Wireless

Re: [PATCH] iw: scan: fix double-free in error paths

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 22/11/2019 00:30, Brian Norris wrote:
On Thu, Nov 21, 2019 at 3:24 PM John Crispin <john@xxxxxxxxxxx> wrote:

On 21/11/2019 23:41, Brian Norris wrote:
Hit when, for instance, I'm stupid enough to type an invalid scan
command:

    # iw wlan0 scan -h
    BUG at file position lib/msg.c:572:void nlmsg_free(struct nl_msg *)
    iw: lib/msg.c:572: void nlmsg_free(struct nl_msg *): Assertion `0' failed.
    Aborted (core dumped)

Fixes: 2f74c59cf11e ("iw: fix memory leaks inside handle_scan")
Cc: John Crispin <john@xxxxxxxxxxx>
wasn't me, nobody saw do anything
try
367e7dd3 (Amit Khatri            2015-06-26 09:02:36 +0000  451)
                 nlmsg_free(ssids);
367e7dd3 (Amit Khatri            2015-06-26 09:02:36 +0000  452)
                 nlmsg_free(freqs);
???

I don't really care about "who", but it's nice to correctly note "what":

Your patch added 'goto nla_put_failure' in the DONE case (or
fallthrough from NONE), which introduced the double-free. Previously,
it was just a 'return', which meant we needed to do the cleanup in
'case DONE'.

For Amit's patch: note how there's a 'return', which makes his code
the only possible call to nlmsg_free() (i.e., no double-free).

Brian


point taken, I see it now :(
	John



[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux