[PATCH v3] ifconfig: fix double free fatal error in INET_sprint

Zheng Junling zhengjunling at huawei.com
Tue Feb 3 09:12:32 UTC 2015 

While INET_sprint or INET6_sprint is called circularly by keeping
ifconfiging, sap->sa_family would be cleaned by other parallel processes
such as dhclient sometimes, and then there would be a double free error
like the following:

  *** glibc detected *** ifconfig: double free or corruption (fasttop): 0x000a6008 ***
  ======= Backtrace: =========
  /lib/libc.so.6(+0x6bc84)[0x40133c84]
  /lib/libc.so.6(cfree+0x94)[0x40138684]
  ifconfig[0x1c460]
  ifconfig[0x1c6a0]
  ifconfig[0x1ccf4]
  ifconfig[0x187c8]
  ifconfig[0xd544]
  ifconfig[0xd5dc]
  ifconfig[0xdca8]
  /lib/libc.so.6(__libc_start_main+0x110)[0x400df258]
  ======= Memory map: ========
  00008000-0009c000 r-xp 00000000 1f:05 444328     /bin/busybox
  000a3000-000a4000 rw-p 00093000 1f:05 444328     /bin/busybox

We set the buff pointer to be NULL to avoid double freeing. However, it
is still incomprehensible.

TODO: INET_sprint and INET6_sprint are only used in networking/interface.c.
Shall we refactor these two funcs by passing a pointer to them, and then
returning it?

Signed-off-by: Zheng Junling <zhengjunling at huawei.com>
Signed-off-by: Chen Gang <cg.chen at huawei.com>
Reported-by: Chen Gang <cg.chen at huawei.com>
---
 networking/interface.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/networking/interface.c b/networking/interface.c
index bf7d2b1..65f2392 100644
--- a/networking/interface.c
+++ b/networking/interface.c
@@ -92,6 +92,7 @@ static const char* FAST_FUNC INET_sprint(struct sockaddr *sap, int numeric)
 	static char *buff; /* defaults to NULL */
 
 	free(buff);
+	buff = NULL;
 	if (sap->sa_family == 0xFFFF || sap->sa_family == 0)
 		return "[NONE SET]";
 	buff = INET_rresolve((struct sockaddr_in *) sap, numeric, 0xffffff00);
@@ -174,6 +175,7 @@ static const char* FAST_FUNC INET6_sprint(struct sockaddr *sap, int numeric)
 	static char *buff;
 
 	free(buff);
+	buff = NULL;
 	if (sap->sa_family == 0xFFFF || sap->sa_family == 0)
 		return "[NONE SET]";
 	buff = INET6_rresolve((struct sockaddr_in6 *) sap, numeric);
-- 
1.7.9.5

More information about the busybox mailing list