diff options
| author | Beniamino Galvani <bgalvani@redhat.com> | 2019-04-08 18:20:39 +0200 |
|---|---|---|
| committer | Beniamino Galvani <bgalvani@redhat.com> | 2019-04-08 18:49:27 +0200 |
| commit | 80a3031a7c40f9b6f2ff08b924077e5c1d09a8b7 (patch) | |
| tree | 4d7db4ae84b49090e6622807dcbaecd7e5d5600a | |
| parent | a4a6a6b6ee907ad0ca4304f5f332354278bdcdc3 (diff) | |
| download | NetworkManager-80a3031a7c40f9b6f2ff08b924077e5c1d09a8b7.tar.gz | |
libnm-core: fix invalid memory access
When we delete the runner.name property, the runner object itself gets
deleted if that was the only property, and @runner becomes invalid.
==13818== Invalid read of size 1
==13818== at 0x55EAF4: nm_streq (nm-macros-internal.h:869)
==13818== by 0x55EAF4: _json_team_normalize_defaults (nm-utils.c:5573)
==13818== by 0x566C89: _nm_utils_team_config_set (nm-utils.c:6057)
==13818== by 0x5498A6: _nm_utils_json_append_gvalue (nm-utils-private.h:228)
==13818== by 0x5498A6: set_property (nm-setting-team.c:1622)
==13818== Address 0x182a9330 is 0 bytes inside a block of size 13 free'd
==13818== at 0x4839A0C: free (vg_replace_malloc.c:530)
==13818== by 0x4857868: json_delete_string (value.c:763)
==13818== by 0x4857868: json_delete (value.c:975)
==13818== by 0x4851FA1: UnknownInlinedFun (jansson.h:129)
==13818== by 0x4851FA1: hashtable_do_del (hashtable.c:131)
==13818== by 0x4851FA1: hashtable_del (hashtable.c:289)
==13818== by 0x55DFDD: _json_del_object (nm-utils.c:5384)
==13818== by 0x55EA70: _json_delete_object_on_string_match (nm-utils.c:5532)
==13818== by 0x55EADB: _json_team_normalize_defaults (nm-utils.c:5549)
==13818== by 0x566C89: _nm_utils_team_config_set (nm-utils.c:6057)
==13818== by 0x5498A6: _nm_utils_json_append_gvalue (nm-utils-private.h:228)
==13818== by 0x5498A6: set_property (nm-setting-team.c:1622)
==13818== Block was alloc'd at
==13818== at 0x483880B: malloc (vg_replace_malloc.c:299)
==13818== by 0x4852E8C: lex_scan_string (load.c:389)
==13818== by 0x4852E8C: lex_scan (load.c:620)
==13818== by 0x4853458: parse_object (load.c:738)
==13818== by 0x4853458: parse_value (load.c:862)
==13818== by 0x4853466: parse_object (load.c:739)
==13818== by 0x4853466: parse_value (load.c:862)
==13818== by 0x4853655: parse_json.constprop.7 (load.c:899)
==13818== by 0x48537CF: json_loads (load.c:959)
==13818== by 0x566780: _nm_utils_team_config_set (nm-utils.c:5961)
==13818== by 0x5498A6: _nm_utils_json_append_gvalue (nm-utils-private.h:228)
==13818== by 0x5498A6: set_property (nm-setting-team.c:1622)
Fixes: a5642fd93a2f ('libnm-core: team: rework defaults management on runner properties')
| -rw-r--r-- | libnm-core/nm-utils.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libnm-core/nm-utils.c b/libnm-core/nm-utils.c index ebe291b32f..cf7ddb08f9 100644 --- a/libnm-core/nm-utils.c +++ b/libnm-core/nm-utils.c @@ -5537,6 +5537,7 @@ _json_team_normalize_defaults (json_t *json, gboolean reset) { json_t *json_element; const char *runner = NM_SETTING_TEAM_RUNNER_DEFAULT; + gs_free char *runner_free = NULL; int notify_peers_count = 0, notify_peers_interval = 0; int mcast_rejoin_count = 0, mcast_rejoin_interval = 0; int runner_tx_balancer_interval = -1; @@ -5545,7 +5546,8 @@ _json_team_normalize_defaults (json_t *json, gboolean reset) json_element = _json_find_object (json, "runner", "name", NULL); if (json_element) { - runner = json_string_value (json_element); + runner_free = g_strdup (json_string_value (json_element)); + runner = runner_free; _json_delete_object_on_string_match (json, "runner", "name", NULL, NM_SETTING_TEAM_RUNNER_DEFAULT); } |