diff options
| author | Matt Fleming <matt.fleming@intel.com> | 2013-02-19 12:18:19 +0000 |
|---|---|---|
| committer | Matt Fleming <matt.fleming@intel.com> | 2013-02-26 11:29:13 +0000 |
| commit | 990f1ace09e79f99a196574f60e5484a5bb4a2d4 (patch) | |
| tree | 0889796c06dacec4b1eac0cda666838961e0add5 | |
| parent | c87df9b16191023498c2780e47527cfee3ddf015 (diff) | |
| download | syslinux-990f1ace09e79f99a196574f60e5484a5bb4a2d4.tar.gz | |
lwip: Fix use-after-free memory corruption
Set *sem to NULL after free() otherwise calling sys_sem_set_invalid()
will cause us to write into a memory location that has potentially
either been reused for another allocation or contains freelist
metadata.
This manifested as malloc() corruption, because we
sys_sem_set_invalid() was overwriting malloc metadata used for
maintaining the freelist.
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Gene Cumm <gene.cumm@gmail.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
| -rw-r--r-- | core/lwip/src/arch/sys_arch.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/core/lwip/src/arch/sys_arch.c b/core/lwip/src/arch/sys_arch.c index 5f8437e8..894f6ada 100644 --- a/core/lwip/src/arch/sys_arch.c +++ b/core/lwip/src/arch/sys_arch.c @@ -25,6 +25,7 @@ void sys_sem_free(sys_sem_t *sem) if (!!sem && !!*sem) { sys_sem_set_invalid(sem); free(*sem); + *sem = NULL; } } |