From: Wojciech Jowsa <wojciech.jo...@gmail.com>
A segfault occurs in ubus_cmp_id when a client
tries to subscribe to an ubus object after the
object was removed and added again. When the ubus
object is removed then a client subcribed to
this object in notified about that. This causes
following functon calls
uh_ubus_subscription_notification_remove_cb->
uh_request_done->memset(&cl->dispatch,..)
When the object is added again and the client
subscribes to it then following funcation are
called ubus_add_object_cb->
avl_insert->avl_find_rec-> ubus_cmp_id.
Ubus_cmp_id tries to compare keys by
dereferencing pointers but one of the pointers
was previoulsy zeroed in uh_request_done.
Signed-off-by: Wojciech Jowsa <wojciech.jo...@gmail.com>
---
client.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/client.c b/client.c
index 6233d01..45cd591 100644
--- a/client.c
+++ b/client.c
@@ -125,7 +125,6 @@ void uh_request_done(struct client *cl)
uh_chunk_eof(cl);
uh_dispatch_done(cl);
blob_buf_init(&cl->hdr_response, 0);
- memset(&cl->dispatch, 0, sizeof(cl->dispatch));
if (!conf.http_keepalive || cl->request.connection_close)
return uh_connection_close(cl);
--
2.25.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
