Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | From a97777889328157bb7d06ec618bad16712a9c345 Mon Sep 17 00:00:00 2001 |
| 2 | From: Denys Vlasenko <vda.linux@googlemail.com> |
| 3 | Date: Tue, 3 Feb 2015 12:11:30 +0100 |
| 4 | Subject: [PATCH] ifconfig: fix double free fatal error in INET_sprint |
| 5 | |
| 6 | Derived from: |
| 7 | http://git.busybox.net/busybox/commit/?id=a97777889328157bb7d06ec618bad16712a9c345. |
| 8 | |
| 9 | While INET_sprint or INET6_sprint is called circularly by keeping |
| 10 | ifconfiging, sap->sa_family would be cleaned by other parallel processes |
| 11 | such as dhclient sometimes, and then there would be a double free error |
| 12 | like the following: |
| 13 | |
| 14 | *** glibc detected *** ifconfig: double free or corruption (fasttop): 0x000a6008 *** |
| 15 | ======= Backtrace: ========= |
| 16 | /lib/libc.so.6(+0x6bc84)[0x40133c84] |
| 17 | /lib/libc.so.6(cfree+0x94)[0x40138684] |
| 18 | ifconfig[0x1c460] |
| 19 | ifconfig[0x1c6a0] |
| 20 | ifconfig[0x1ccf4] |
| 21 | ifconfig[0x187c8] |
| 22 | ifconfig[0xd544] |
| 23 | ifconfig[0xd5dc] |
| 24 | ifconfig[0xdca8] |
| 25 | /lib/libc.so.6(__libc_start_main+0x110)[0x400df258] |
| 26 | ======= Memory map: ======== |
| 27 | 00008000-0009c000 r-xp 00000000 1f:05 444328 /bin/busybox |
| 28 | 000a3000-000a4000 rw-p 00093000 1f:05 444328 /bin/busybox |
| 29 | |
| 30 | This patch moved free() two lines down to address this problem. |
| 31 | |
| 32 | Upstream-Status: Backport |
| 33 | |
| 34 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
| 35 | --- |
| 36 | networking/interface.c | 4 ++-- |
| 37 | 1 file changed, 2 insertions(+), 2 deletions(-) |
| 38 | |
| 39 | diff --git a/networking/interface.c b/networking/interface.c |
| 40 | index bf7d2b1..b0572d0 100644 |
| 41 | --- a/networking/interface.c |
| 42 | +++ b/networking/interface.c |
| 43 | @@ -91,9 +91,9 @@ static const char* FAST_FUNC INET_sprint(struct sockaddr *sap, int numeric) |
| 44 | { |
| 45 | static char *buff; /* defaults to NULL */ |
| 46 | |
| 47 | - free(buff); |
| 48 | if (sap->sa_family == 0xFFFF || sap->sa_family == 0) |
| 49 | return "[NONE SET]"; |
| 50 | + free(buff); |
| 51 | buff = INET_rresolve((struct sockaddr_in *) sap, numeric, 0xffffff00); |
| 52 | return buff; |
| 53 | } |
| 54 | @@ -173,9 +173,9 @@ static const char* FAST_FUNC INET6_sprint(struct sockaddr *sap, int numeric) |
| 55 | { |
| 56 | static char *buff; |
| 57 | |
| 58 | - free(buff); |
| 59 | if (sap->sa_family == 0xFFFF || sap->sa_family == 0) |
| 60 | return "[NONE SET]"; |
| 61 | + free(buff); |
| 62 | buff = INET6_rresolve((struct sockaddr_in6 *) sap, numeric); |
| 63 | return buff; |
| 64 | } |
| 65 | -- |
| 66 | 1.8.3.4 |
| 67 | |