diff options
author | Nick Mathewson <nickm@torproject.org> | 2010-03-13 01:04:30 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2010-03-13 01:04:30 -0500 |
commit | 0cf1431e5d85411ac8174ffe3b802c6a37f6e3a8 (patch) | |
tree | 8203217b35afd7b063c5c7e86db1557012be3eee /bufferevent.c | |
parent | 274a7bd9a11fd25339c4b978a25367f6d5ff0238 (diff) | |
download | libevent-0cf1431e5d85411ac8174ffe3b802c6a37f6e3a8.tar.gz |
Avoid an (untriggerable so far) crash bug in bufferevent_free()
We were saying
mm_free(bufev - bufev->be_ops->mem_offset);
when we should have said
mm_free(((char*)bufev) - bufev->be_ops->mem_offset);
In other words, if mem_offset had ever been nonzero, then instead of
backing up mem_offset bytes to find the thing we were supposed to free, we
would have backed up mem_offset*sizeof(struct bufferevent) bytes, and freed
something completely crazy.
Spotted thanks to a conversation with Jardel Weyrich
Diffstat (limited to 'bufferevent.c')
-rw-r--r-- | bufferevent.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/bufferevent.c b/bufferevent.c index 958fff90..350d44db 100644 --- a/bufferevent.c +++ b/bufferevent.c @@ -568,7 +568,7 @@ _bufferevent_decref_and_unlock(struct bufferevent *bufev) EVTHREAD_LOCKTYPE_RECURSIVE); /* Free the actual allocated memory. */ - mm_free(bufev - bufev->be_ops->mem_offset); + mm_free(((char*)bufev) - bufev->be_ops->mem_offset); /* Release the reference to underlying now that we no longer need the * reference to it. We wait this long mainly in case our lock is |