diff options
author | Alex Riesen <raa.lkml@gmail.com> | 2008-04-28 22:23:35 +0200 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2008-04-28 23:57:47 -0700 |
commit | 7b7f39eae6ab0bbcc68d3c42a5b23595880e528f (patch) | |
tree | b7ce174e5105d17193cef8208876b6ccaade51c3 | |
parent | 72269ad9564b700e6aab30338e35b4e6ffea854d (diff) | |
download | git-7b7f39eae6ab0bbcc68d3c42a5b23595880e528f.tar.gz |
Fix use after free() in builtin-fetch
As reported by Dave Jones:
Since master.kernel.org updated to latest, I noticed that I could crash
git-fetch by doing this..
export KERNEL=/pub/scm/linux/kernel/git/
git fetch $KERNEL/torvalds/linux-2.6 master:linus
(gdb) bt
0 0x000000349fd6d44b in free () from /lib64/libc.so.6
1 0x000000000048f4eb in transport_unlock_pack (transport=0x7ce530) at transport.c:811
2 0x000000349fd31b25 in exit () from /lib64/libc.so.6
3 0x00000000004043d8 in handle_internal_command (argc=3, argv=0x7fffea4449f0) at git.c:379
4 0x0000000000404547 in main (argc=3, argv=0x7fffea4449f0) at git.c:443
5 0x000000349fd1c784 in __libc_start_main () from /lib64/libc.so.6
6 0x0000000000403ef9 in ?? ()
7 0x00007fffea4449d8 in ?? ()
8 0x0000000000000000 in ?? ()
I then remembered, my .bashrc has this..
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
which is handy for showing up such bugs.
More info on this glibc feature is at http://udrepper.livejournal.com/11429.html
Signed-off-by: Alex Riesen <raa.lkml@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r-- | builtin-fetch.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/builtin-fetch.c b/builtin-fetch.c index 139a6b10c5..167f948036 100644 --- a/builtin-fetch.c +++ b/builtin-fetch.c @@ -577,8 +577,6 @@ static int do_fetch(struct transport *transport, free_refs(ref_map); } - transport_disconnect(transport); - return 0; } @@ -599,6 +597,7 @@ int cmd_fetch(int argc, const char **argv, const char *prefix) int i; static const char **refs = NULL; int ref_nr = 0; + int exit_code; /* Record the command line for the reflog */ strbuf_addstr(&default_rla, "fetch"); @@ -652,6 +651,9 @@ int cmd_fetch(int argc, const char **argv, const char *prefix) signal(SIGINT, unlock_pack_on_signal); atexit(unlock_pack); - return do_fetch(transport, + exit_code = do_fetch(transport, parse_fetch_refspec(ref_nr, refs), ref_nr); + transport_disconnect(transport); + transport = NULL; + return exit_code; } |