dhcp_invalidate was freeing dhcp and duplicating network unref
(reported by Tomasz Bursztyka), thus causinhg invalid reads,
when ipv4ll_announce_timeout was triggered. The patch consists
of freeing dhcp only when dhcp is stopped and network removal
and unref are previously checked against network_list.
---
src/dhcp.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/src/dhcp.c b/src/dhcp.c
index e4bac67..eb37cfe 100644
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -86,7 +86,6 @@ static void dhcp_invalidate(struct connman_dhcp *dhcp, bool
callback)
{
struct connman_service *service;
struct connman_ipconfig *ipconfig;
- bool network_removed = false;
int i;
DBG("dhcp %p callback %u", dhcp, callback);
@@ -132,18 +131,14 @@ static void dhcp_invalidate(struct connman_dhcp *dhcp,
bool callback)
__connman_ipconfig_set_gateway(ipconfig, NULL);
__connman_ipconfig_set_prefixlen(ipconfig, 0);
- if (dhcp->callback && callback) {
- g_hash_table_remove(network_table, dhcp->network);
- network_removed = true;
+ if (dhcp->callback && callback)
dhcp->callback(dhcp->network, false, NULL);
- }
out:
- if (!network_removed)
+ if (g_hash_table_contains(network_table, dhcp->network)) {
g_hash_table_remove(network_table, dhcp->network);
-
- connman_network_unref(dhcp->network);
- dhcp_free(dhcp);
+ connman_network_unref(dhcp->network);
+ }
}
static void dhcp_valid(struct connman_dhcp *dhcp)
@@ -627,6 +622,7 @@ void __connman_dhcp_stop(struct connman_network *network)
if (dhcp) {
dhcp_release(dhcp);
dhcp_invalidate(dhcp, false);
+ dhcp_free(dhcp);
}
}
--
1.8.3.2
_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman
