[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnunet] branch master updated: Fix use-after-free in loop
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnunet] branch master updated: Fix use-after-free in loop over modified list |
Date: |
Tue, 19 Dec 2017 01:41:09 +0100 |
This is an automated email from the git hooks/post-receive script.
david-barksdale pushed a commit to branch master
in repository gnunet.
The following commit(s) were added to refs/heads/master by this push:
new 012ff13ac Fix use-after-free in loop over modified list
012ff13ac is described below
commit 012ff13acc0cb2f5d7210aa48819395fecf12a3d
Author: David Barksdale <address@hidden>
AuthorDate: Mon Dec 18 18:39:03 2017 -0600
Fix use-after-free in loop over modified list
This loop saved the next pointer which is OK if the current element is
being freed, but the callback can cause other elements to be freed which
was detected by ASAN.
---
src/cadet/gnunet-service-cadet_peer.c | 51 +++++++++++++++++++++++------------
1 file changed, 34 insertions(+), 17 deletions(-)
diff --git a/src/cadet/gnunet-service-cadet_peer.c
b/src/cadet/gnunet-service-cadet_peer.c
index 71c7c67d0..c4e2c0ccf 100644
--- a/src/cadet/gnunet-service-cadet_peer.c
+++ b/src/cadet/gnunet-service-cadet_peer.c
@@ -532,32 +532,49 @@ GCP_set_mq (struct CadetPeer *cp,
GCP_2s (cp),
mq);
cp->core_mq = mq;
- for (struct GCP_MessageQueueManager *mqm = cp->mqm_head, *next;
+ /* Since these callbacks can remove any items from this list, we must take a
+ * snapshot and then test each one to see if it's still in the list. */
+ int count = 0;
+ for (struct GCP_MessageQueueManager *mqm = cp->mqm_head;
NULL != mqm;
- mqm = next)
+ mqm = mqm->next)
+ ++count;
+ struct GCP_MessageQueueManager *mqms[count];
+ int i = 0;
+ for (struct GCP_MessageQueueManager *mqm = cp->mqm_head;
+ NULL != mqm;
+ mqm = mqm->next)
+ mqms[i++] = mqm;
+ for (i = 0; i < count; ++i)
{
- /* Save next pointer in case mqm gets freed by the callback */
- next = mqm->next;
- if (NULL == mq)
+ for (struct GCP_MessageQueueManager *mqm = cp->mqm_head;
+ NULL != mqm;
+ mqm = mqm->next)
{
- if (NULL != mqm->env)
+ if (mqms[i] != mqm)
+ continue;
+ if (NULL == mq)
{
- GNUNET_MQ_discard (mqm->env);
- mqm->env = NULL;
- mqm->cb (mqm->cb_cls,
- GNUNET_SYSERR);
+ if (NULL != mqm->env)
+ {
+ GNUNET_MQ_discard (mqm->env);
+ mqm->env = NULL;
+ mqm->cb (mqm->cb_cls,
+ GNUNET_SYSERR);
+ }
+ else
+ {
+ mqm->cb (mqm->cb_cls,
+ GNUNET_NO);
+ }
}
else
{
+ GNUNET_assert (NULL == mqm->env);
mqm->cb (mqm->cb_cls,
- GNUNET_NO);
+ GNUNET_YES);
}
- }
- else
- {
- GNUNET_assert (NULL == mqm->env);
- mqm->cb (mqm->cb_cls,
- GNUNET_YES);
+ break;
}
}
if ( (NULL != mq) ||
--
To stop receiving notification emails like this one, please contact
address@hidden
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] [gnunet] branch master updated: Fix use-after-free in loop over modified list,
gnunet <=