[PATCH v2] gdhcp: Fix use-after-free issue when g_dhcp_client_start() is called from restart_dhcp()

Mon, 20 Jul 2015 11:46:56 -0700 

restart_dhcp() is passing dhcp_client->last_address as the last_address
argument of g_dhcp_client_start()

this leads a memory violation in g_dhcp_client_start if
dhcp_client->last_address == last_address, as

g_free(dhcp_client->last_address);
dhcp_client->last_address = g_strdup(last_address);

which may happen when called from restart_dhcp()

==10736== Invalid read of size 1
==10736==    at 0x4C2BFA2: strlen (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10736==    by 0x4E942A1: g_strdup (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==10736==    by 0x416A60: g_dhcp_client_start (client.c:2837)
==10736==    by 0x413D1A: restart_dhcp (client.c:1647)
==10736==    by 0x413D63: start_expire (client.c:1659)
==10736==    by 0x4E7A8DA: ??? (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==10736==    by 0x4E79D12: g_main_context_dispatch (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==10736==    by 0x4E7A05F: ??? (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==10736==    by 0x4E7A459: g_main_loop_run (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==10736==    by 0x444535: main (main.c:705)
==10736==  Address 0x735eca0 is 0 bytes inside a block of size 16 free'd
==10736==    at 0x4C2A82E: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10736==    by 0x416A54: g_dhcp_client_start (client.c:2836)
==10736==    by 0x413D1A: restart_dhcp (client.c:1647)
==10736==    by 0x413D63: start_expire (client.c:1659)
==10736==    by 0x4E7A8DA: ??? (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==10736==    by 0x4E79D12: g_main_context_dispatch (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==10736==    by 0x4E7A05F: ??? (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==10736==    by 0x4E7A459: g_main_loop_run (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==10736==    by 0x444535: main (main.c:705)
---
 gdhcp/client.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gdhcp/client.c b/gdhcp/client.c
index 084cd7e..3c11957 100644
--- a/gdhcp/client.c
+++ b/gdhcp/client.c
@@ -2832,7 +2832,7 @@ int g_dhcp_client_start(GDHCPClient *dhcp_client, const 
char *last_address)
                addr = ntohl(inet_addr(last_address));
                if (addr == 0xFFFFFFFF) {
                        addr = 0;
-               } else {
+               } else if (dhcp_client->last_address != last_address) {
                        g_free(dhcp_client->last_address);
                        dhcp_client->last_address = g_strdup(last_address);
                }
-- 
1.7.10.4

_______________________________________________
connman mailing list
[email protected]
https://lists.connman.net/mailman/listinfo/connman

Reply via email to