Re: [PATCH v3] ifconfig: fix double free fatal error in INET_sprint

Tue, 03 Feb 2015 02:04:39 -0800 

Hello Zheng Junling,

we have now 3 patch with obvious differences. Could you please explain
what are the changes ?

re,
 wh


Am 03.02.2015 10:12, schrieb Zheng Junling:
> While INET_sprint or INET6_sprint is called circularly by keeping
> ifconfiging, sap->sa_family would be cleaned by other parallel processes
> such as dhclient sometimes, and then there would be a double free error
> like the following:
> 
>   *** glibc detected *** ifconfig: double free or corruption (fasttop): 
> 0x000a6008 ***
>   ======= Backtrace: =========
>   /lib/libc.so.6(+0x6bc84)[0x40133c84]
>   /lib/libc.so.6(cfree+0x94)[0x40138684]
>   ifconfig[0x1c460]
>   ifconfig[0x1c6a0]
>   ifconfig[0x1ccf4]
>   ifconfig[0x187c8]
>   ifconfig[0xd544]
>   ifconfig[0xd5dc]
>   ifconfig[0xdca8]
>   /lib/libc.so.6(__libc_start_main+0x110)[0x400df258]
>   ======= Memory map: ========
>   00008000-0009c000 r-xp 00000000 1f:05 444328     /bin/busybox
>   000a3000-000a4000 rw-p 00093000 1f:05 444328     /bin/busybox
> 
> We set the buff pointer to be NULL to avoid double freeing. However, it
> is still incomprehensible.
> 
> TODO: INET_sprint and INET6_sprint are only used in networking/interface.c.
> Shall we refactor these two funcs by passing a pointer to them, and then
> returning it?
> 
> Signed-off-by: Zheng Junling <[email protected]>
> Signed-off-by: Chen Gang <[email protected]>
> Reported-by: Chen Gang <[email protected]>
> ---
>  networking/interface.c |    2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/networking/interface.c b/networking/interface.c
> index bf7d2b1..65f2392 100644
> --- a/networking/interface.c
> +++ b/networking/interface.c
> @@ -92,6 +92,7 @@ static const char* FAST_FUNC INET_sprint(struct sockaddr 
> *sap, int numeric)
>       static char *buff; /* defaults to NULL */
>  
>       free(buff);
> +     buff = NULL;
>       if (sap->sa_family == 0xFFFF || sap->sa_family == 0)
>               return "[NONE SET]";
>       buff = INET_rresolve((struct sockaddr_in *) sap, numeric, 0xffffff00);
> @@ -174,6 +175,7 @@ static const char* FAST_FUNC INET6_sprint(struct sockaddr 
> *sap, int numeric)
>       static char *buff;
>  
>       free(buff);
> +     buff = NULL;
>       if (sap->sa_family == 0xFFFF || sap->sa_family == 0)
>               return "[NONE SET]";
>       buff = INET6_rresolve((struct sockaddr_in6 *) sap, numeric);
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox

Reply via email to