It is possible that the network is disconnected while we are
waiting DAD (Duplicate Address Detection) to finish.
DAD is done quite fast (timeout is 1 sec) so this is quite
unlikely to trigger but possible as seen by this valgrind
report. Because the network disappeared while waiting DAD
reply, the network pointer is set to NULL and we must
not access it.
connmand[4345]: src/dhcpv6.c:dad_reply() user 0x530d540 reply (nil) len 0
address 2001:db8:dd:bf:b71c:19ad:e6f5:7a93 index 3 data 0x530d540
connmand[4345]: src/dhcpv6.c:dad_reply() DAD succeed for
2001:db8:dd:bf:b71c:19ad:e6f5:7a93
connmand[4345]: src/network.c:dhcpv6_callback() status 1
connmand[4345]: src/network.c:connman_network_set_error() network (nil) error 2
==4345== Invalid write of size 1
==4345== at 0x80853D9: connman_network_set_error (network.c:1365)
==4345== by 0x80855DF: dhcpv6_callback (network.c:398)
==4345== by 0x80A9987: dad_reply (dhcpv6.c:807)
==4345== by 0x80A06AA: ns_timeout_cb (inet.c:1852)
==4345== by 0x4D63DDAF: g_timeout_dispatch (gmain.c:3882)
==4345== by 0x4D63D0BA: g_main_context_dispatch (gmain.c:2539)
==4345== by 0x4D63D45F: g_main_context_iterate.isra.21 (gmain.c:3146)
==4345== by 0x4D63D8C2: g_main_loop_run (gmain.c:3340)
==4345== by 0x80542B2: main (main.c:688)
==4345== Address 0x38 is not stack'd, malloc'd or (recently) free'd
==4345==
---
src/dhcpv6.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/dhcpv6.c b/src/dhcpv6.c
index 2ede854..72fe33f 100644
--- a/src/dhcpv6.c
+++ b/src/dhcpv6.c
@@ -804,7 +804,8 @@ static void dad_reply(struct nd_neighbor_advert *reply,
service = __connman_service_lookup_from_index(
data->ifindex);
network = __connman_service_get_network(service);
- data->callback(network, status, NULL);
+ if (network)
+ data->callback(network, status, NULL);
}
}
--
1.8.3.1
_______________________________________________
connman mailing list
[email protected]
https://lists.connman.net/mailman/listinfo/connman
