Fix crash when system has no ipv6 address [BZ #17125]

Message ID	20140708120846.GH609@spoyarek.pnq.redhat.com
State	Superseded
Headers	Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org Date: Tue, 8 Jul 2014 17:38:46 +0530 From: Siddhesh Poyarekar <siddhesh@redhat.com> To: libc-alpha@sourceware.org Subject: [PATCH] Fix crash when system has no ipv6 address [BZ #17125] Message-ID: <20140708120846.GH609@spoyarek.pnq.redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2xzXx3ruJf7hsAzo" Content-Disposition: inline User-Agent: Mutt/1.5.22.1-rc1 (2013-10-16)

Message ID

20140708120846.GH609@spoyarek.pnq.redhat.com

State

Superseded

Headers

Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
Date: Tue, 8 Jul 2014 17:38:46 +0530
From: Siddhesh Poyarekar <siddhesh@redhat.com>
To: libc-alpha@sourceware.org
Subject: [PATCH] Fix crash when system has no ipv6 address [BZ #17125]
Message-ID: <20140708120846.GH609@spoyarek.pnq.redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="2xzXx3ruJf7hsAzo"
Content-Disposition: inline
User-Agent: Mutt/1.5.22.1-rc1 (2013-10-16)

Commit Message

Siddhesh Poyarekar July 8, 2014, 12:08 p.m. UTC

  Hi,

The test case bug-ga2 crashes when the system it is running on has no
ipv6 address configured.  This is because we point the cache (that is
freed on exit) to a static variable if there is no ipv6 address, which
later results in freeing an invalid pointer.

Following patch fixes this crash.

Siddhesh

	[BZ #17125]
	* sysdeps/unix/sysv/linux/check_pf.c (make_request): Allocate
	result using malloc.

Comments

Andreas Schwab July 8, 2014, 12:16 p.m. UTC | #1

Siddhesh Poyarekar <siddhesh@redhat.com> writes:

> The test case bug-ga2 crashes when the system it is running on has no
> ipv6 address configured.  This is because we point the cache (that is
> freed on exit) to a static variable if there is no ipv6 address, which
> later results in freeing an invalid pointer.

Why is this not working?

    .usecnt = 1,	/* Make sure we never try to delete this entry.  */

Andreas.

Siddhesh Poyarekar July 8, 2014, 12:21 p.m. UTC | #2

On Tue, Jul 08, 2014 at 02:16:30PM +0200, Andreas Schwab wrote:
> Siddhesh Poyarekar <siddhesh@redhat.com> writes:
> 
> > The test case bug-ga2 crashes when the system it is running on has no
> > ipv6 address configured.  This is because we point the cache (that is
> > freed on exit) to a static variable if there is no ipv6 address, which
> > later results in freeing an invalid pointer.
> 
> Why is this not working?
> 
>     .usecnt = 1,	/* Make sure we never try to delete this entry.  */
> 

Because it uses free() instead of __free_in6ai.  my patch has a leak
anyway, so it is wrong.  I'll write another fix for it.

Siddhesh

diff mbox

Patch

diff --git a/sysdeps/unix/sysv/linux/check_pf.c b/sysdeps/unix/sysv/linux/check_pf.c
index 1bc1def..063e15f 100644
--- a/sysdeps/unix/sysv/linux/check_pf.c
+++ b/sysdeps/unix/sysv/linux/check_pf.c
@@ -311,7 +311,8 @@  make_request (int fd, pid_t pid)
       atomic_add (&noai6ai_cached.usecnt, 2);
       noai6ai_cached.seen_ipv4 = seen_ipv4;
       noai6ai_cached.seen_ipv6 = seen_ipv6;
-      result = &noai6ai_cached;
+      result = malloc (sizeof (noai6ai_cached));
+      memcpy (result, &noai6ai_cached, sizeof (noai6ai_cached));
     }
 
   if (use_malloc)