From: Wojciech Jowsa <wojciech.jo...@gmail.com> A segfault occurs in ubus_cmp_id when a client tries to subscribe to an ubus object after the object was removed and added again. When the ubus object is removed then a client subcribed to this object in notified about that. This causes following functon calls uh_ubus_subscription_notification_remove_cb-> uh_request_done->memset(&cl->dispatch,..) When the object is added again and the client subscribes to it then following funcation are called ubus_add_object_cb-> avl_insert->avl_find_rec-> ubus_cmp_id. Ubus_cmp_id tries to compare keys by dereferencing pointers but one of the pointers was previoulsy zeroed in uh_request_done.
Signed-off-by: Wojciech Jowsa <wojciech.jo...@gmail.com> --- client.c | 1 - 1 file changed, 1 deletion(-) diff --git a/client.c b/client.c index 6233d01..45cd591 100644 --- a/client.c +++ b/client.c @@ -125,7 +125,6 @@ void uh_request_done(struct client *cl) uh_chunk_eof(cl); uh_dispatch_done(cl); blob_buf_init(&cl->hdr_response, 0); - memset(&cl->dispatch, 0, sizeof(cl->dispatch)); if (!conf.http_keepalive || cl->request.connection_close) return uh_connection_close(cl); -- 2.25.1 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel