On 22/11/2019 00:30, Brian Norris wrote:
On Thu, Nov 21, 2019 at 3:24 PM John Crispin <john@xxxxxxxxxxx> wrote:
On 21/11/2019 23:41, Brian Norris wrote:
Hit when, for instance, I'm stupid enough to type an invalid scan
command:
# iw wlan0 scan -h
BUG at file position lib/msg.c:572:void nlmsg_free(struct nl_msg *)
iw: lib/msg.c:572: void nlmsg_free(struct nl_msg *): Assertion `0' failed.
Aborted (core dumped)
Fixes: 2f74c59cf11e ("iw: fix memory leaks inside handle_scan")
Cc: John Crispin <john@xxxxxxxxxxx>
wasn't me, nobody saw do anything
try
367e7dd3 (Amit Khatri 2015-06-26 09:02:36 +0000 451)
nlmsg_free(ssids);
367e7dd3 (Amit Khatri 2015-06-26 09:02:36 +0000 452)
nlmsg_free(freqs);
???
I don't really care about "who", but it's nice to correctly note "what":
Your patch added 'goto nla_put_failure' in the DONE case (or
fallthrough from NONE), which introduced the double-free. Previously,
it was just a 'return', which meant we needed to do the cleanup in
'case DONE'.
For Amit's patch: note how there's a 'return', which makes his code
the only possible call to nlmsg_free() (i.e., no double-free).
Brian
point taken, I see it now :(
John
