diff options
| author | Beniamino Galvani <bgalvani@redhat.com> | 2018-02-09 11:33:39 +0100 |
|---|---|---|
| committer | Beniamino Galvani <bgalvani@redhat.com> | 2018-02-13 15:48:17 +0100 |
| commit | 706f870bfedc51db8bdfaf6fa1425afb492c8219 (patch) | |
| tree | 872397963cc464ef0773bb449c96031943c72b3f | |
| parent | fcd832c9614d1a88fbefcfef34717554323e2647 (diff) | |
| download | NetworkManager-bg/asan-exec-bgo793332.tar.gz | |
connectivity: fix wrong memory accessbg/asan-exec-bgo793332
Don't use message data after calling curl_multi_remove_handle(). Fixes
the following asan error:
=================================================================
==13238==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000091ad0 at pc 0x55750f8d9a10 bp 0x7ffeb7f5f210 sp 0x7ffeb7f5f200
READ of size 8 at 0x608000091ad0 thread T0
#0 0x55750f8d9a0f in curl_check_connectivity (/usr/sbin/NetworkManager+0x190a0f)
#1 0x55750f8da7dd in curl_socketevent_cb (/usr/sbin/NetworkManager+0x1917dd)
#2 0x7f73cb64e8f8 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x4a8f8)
#3 0x7f73cb64ec57 (/lib64/libglib-2.0.so.0+0x4ac57)
#4 0x7f73cb64ef29 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x4af29)
#5 0x55750f85c3f4 (/usr/sbin/NetworkManager+0x1133f4)
#6 0x7f73c9f19384 in __libc_start_main (/lib64/libc.so.6+0x22384)
#7 0x55750f85d7f7 (/usr/sbin/NetworkManager+0x1147f7)
0x608000091ad0 is located 48 bytes inside of 88-byte region [0x608000091aa0,0x608000091af8)
freed by thread T0 here:
#0 0x7f73cd61f508 in __interceptor_free (/lib64/libasan.so.4+0xde508)
#1 0x7f73ca710eaa in curl_multi_remove_handle (/lib64/libcurl.so.4+0x32eaa)
previously allocated by thread T0 here:
#0 0x7f73cd61fa88 in __interceptor_calloc (/lib64/libasan.so.4+0xdea88)
#1 0x7f73ca710b3d in curl_multi_add_handle (/lib64/libcurl.so.4+0x32b3d)
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/sbin/NetworkManager+0x190a0f)
| -rw-r--r-- | src/nm-connectivity.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/nm-connectivity.c b/src/nm-connectivity.c index 656d02b9da..d8d4bf7d88 100644 --- a/src/nm-connectivity.c +++ b/src/nm-connectivity.c @@ -137,6 +137,7 @@ curl_check_connectivity (CURLM *mhandle, CURLMcode ret) ConCheckCbData *cb_data; CURLMsg *msg; CURLcode eret; + CURL *easy_handle; gint m_left; long response_code; @@ -182,8 +183,10 @@ curl_check_connectivity (CURLM *mhandle, CURLMcode ret) finish_cb_data (cb_data, c); } - curl_multi_remove_handle (mhandle, msg->easy_handle); - curl_easy_cleanup (msg->easy_handle); + /* Do not use message data after calling curl_multi_remove_handle() */ + easy_handle = msg->easy_handle; + curl_multi_remove_handle (mhandle, easy_handle); + curl_easy_cleanup (easy_handle); } } |