[PATCH v3] ifconfig: fix double free fatal error in INET_sprint
Zheng Junling
zhengjunling at huawei.com
Tue Feb 3 10:53:20 UTC 2015
I'm so sorry that I gave wrong email address and author name in v1 and v2.
So, please ignore the previous two patches. Thanks!
On 2015/2/3 18:03, walter harms wrote:
> Hello Zheng Junling,
>
> we have now 3 patch with obvious differences. Could you please explain
> what are the changes ?
>
> re,
> wh
>
>
> Am 03.02.2015 10:12, schrieb Zheng Junling:
>> While INET_sprint or INET6_sprint is called circularly by keeping
>> ifconfiging, sap->sa_family would be cleaned by other parallel processes
>> such as dhclient sometimes, and then there would be a double free error
>> like the following:
>>
>> *** glibc detected *** ifconfig: double free or corruption (fasttop): 0x000a6008 ***
>> ======= Backtrace: =========
>> /lib/libc.so.6(+0x6bc84)[0x40133c84]
>> /lib/libc.so.6(cfree+0x94)[0x40138684]
>> ifconfig[0x1c460]
>> ifconfig[0x1c6a0]
>> ifconfig[0x1ccf4]
>> ifconfig[0x187c8]
>> ifconfig[0xd544]
>> ifconfig[0xd5dc]
>> ifconfig[0xdca8]
>> /lib/libc.so.6(__libc_start_main+0x110)[0x400df258]
>> ======= Memory map: ========
>> 00008000-0009c000 r-xp 00000000 1f:05 444328 /bin/busybox
>> 000a3000-000a4000 rw-p 00093000 1f:05 444328 /bin/busybox
>>
>> We set the buff pointer to be NULL to avoid double freeing. However, it
>> is still incomprehensible.
>>
>> TODO: INET_sprint and INET6_sprint are only used in networking/interface.c.
>> Shall we refactor these two funcs by passing a pointer to them, and then
>> returning it?
>>
>> Signed-off-by: Zheng Junling <zhengjunling at huawei.com>
>> Signed-off-by: Chen Gang <cg.chen at huawei.com>
>> Reported-by: Chen Gang <cg.chen at huawei.com>
>> ---
>> networking/interface.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/networking/interface.c b/networking/interface.c
>> index bf7d2b1..65f2392 100644
>> --- a/networking/interface.c
>> +++ b/networking/interface.c
>> @@ -92,6 +92,7 @@ static const char* FAST_FUNC INET_sprint(struct sockaddr *sap, int numeric)
>> static char *buff; /* defaults to NULL */
>>
>> free(buff);
>> + buff = NULL;
>> if (sap->sa_family == 0xFFFF || sap->sa_family == 0)
>> return "[NONE SET]";
>> buff = INET_rresolve((struct sockaddr_in *) sap, numeric, 0xffffff00);
>> @@ -174,6 +175,7 @@ static const char* FAST_FUNC INET6_sprint(struct sockaddr *sap, int numeric)
>> static char *buff;
>>
>> free(buff);
>> + buff = NULL;
>> if (sap->sa_family == 0xFFFF || sap->sa_family == 0)
>> return "[NONE SET]";
>> buff = INET6_rresolve((struct sockaddr_in6 *) sap, numeric);
>
> .
>
More information about the busybox
mailing list