On 26/06/14 10:13, Patrik Flykt wrote:
On Wed, 2014-06-25 at 18:56 +0300, Slava Monich wrote:
Calling __connman_wispr_stop() without connman_agent_cancel() allows pending
wispr requests to complete later which results in a read/write access to the
freed memory and a subsequent crash.
Which freed memory is accessed here?
connmand[3388]: src/agent.c:agent_receive_message() agent 0x51129e0 req
0x5018d50
connmand[3388]: src/wispr.c:wispr_portal_browser_reply_cb()
connmand[3388]: src/wispr.c:wispr_portal_error() Failed to proceed
wispr/portal web request
==3388== Invalid write of size 4
==3388== at 0xAB2C4: wispr_portal_error (wispr.c:422)
==3388== by 0xAB88B: wispr_portal_browser_reply_cb (wispr.c:562)
==3388== by 0x74F63: request_browser_reply (agent-connman.c:587)
==3388== by 0x756EB: agent_finalize_pending (agent.c:121)
==3388== by 0x75A33: agent_receive_message (agent.c:203)
==3388== by 0x4965773: _dbus_pending_call_complete
(dbus-pending-call.c:223)
==3388== by 0x4951607: complete_pending_call_and_unlock
(dbus-connection.c:2314)
==3388== by 0x4954CA3: dbus_connection_dispatch (dbus-connection.c:4580)
==3388== by 0xC3837: message_dispatch (mainloop.c:72)
==3388== by 0x489EEEF: g_idle_dispatch (gmain.c:5251)
==3388== by 0x48A1EAB: g_main_context_dispatch (gmain.c:3066)
==3388== by 0x48A2067: g_main_context_iterate.part.8 (gmain.c:3713)
==3388== by 0x48A2683: g_main_loop_run (gmain.c:3680)
==3388== by 0x52313: main (main.c:739)
==3388== Address 0x4ef7ff0 is 344 bytes inside a block of size 376 free'd
==3388== at 0x4837698: free (vg_replace_malloc.c:468)
==3388== by 0x4AE2D4F: fclose (in /lib/libc-2.15.so)
==3388==
==3388== Invalid read of size 4
==3388== at 0xAA964: free_wispr_routes (wispr.c:127)
==3388== by 0xAB893: wispr_portal_browser_reply_cb (wispr.c:563)
==3388== by 0x74F63: request_browser_reply (agent-connman.c:587)
==3388== by 0x756EB: agent_finalize_pending (agent.c:121)
==3388== by 0x75A33: agent_receive_message (agent.c:203)
==3388== by 0x4965773: _dbus_pending_call_complete
(dbus-pending-call.c:223)
==3388== by 0x4951607: complete_pending_call_and_unlock
(dbus-connection.c:2314)
==3388== by 0x4954CA3: dbus_connection_dispatch (dbus-connection.c:4580)
==3388== by 0xC3837: message_dispatch (mainloop.c:72)
==3388== by 0x489EEEF: g_idle_dispatch (gmain.c:5251)
==3388== by 0x48A1EAB: g_main_context_dispatch (gmain.c:3066)
==3388== by 0x48A2067: g_main_context_iterate.part.8 (gmain.c:3713)
==3388== by 0x48A2683: g_main_loop_run (gmain.c:3680)
==3388== by 0x52313: main (main.c:739)
==3388== Address 0x4ef7ff4 is 348 bytes inside a block of size 376 free'd
==3388== at 0x4837698: free (vg_replace_malloc.c:468)
==3388== by 0x4AE2D4F: fclose (in /lib/libc-2.15.so)
and so on. Eventually
==3388== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==3388== Access not within mapped region at address 0x2E726567
==3388== at 0xAA858: free_wispr_routes (wispr.c:128)
==3388== by 0xAB893: wispr_portal_browser_reply_cb (wispr.c:563)
==3388== by 0x74F63: request_browser_reply (agent-connman.c:587)
==3388== by 0x756EB: agent_finalize_pending (agent.c:121)
==3388== by 0x75A33: agent_receive_message (agent.c:203)
==3388== by 0x4965773: _dbus_pending_call_complete
(dbus-pending-call.c:223)
==3388== by 0x4951607: complete_pending_call_and_unlock
(dbus-connection.c:2314)
==3388== by 0x4954CA3: dbus_connection_dispatch (dbus-connection.c:4580)
==3388== by 0xC3837: message_dispatch (mainloop.c:72)
==3388== by 0x489EEEF: g_idle_dispatch (gmain.c:5251)
==3388== by 0x48A1EAB: g_main_context_dispatch (gmain.c:3066)
==3388== by 0x48A2067: g_main_context_iterate.part.8 (gmain.c:3713)
==3388== by 0x48A2683: g_main_loop_run (gmain.c:3680)
==3388== by 0x52313: main (main.c:739)
_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman
