• Slava Monich's avatar
    [firewall] Fixed use-after-free in __connman_firewall_remove_rule · a5b9ce65
    Slava Monich authored
    g_list_previous was accessing the pointer deallocated by g_list_remove:
    
    ==2161== Invalid read of size 4
    ==2161==    at 0xC6F6C: __connman_firewall_remove_rule (firewall.c:356)
    ==2161==    by 0xC720F: __connman_firewall_disable (firewall.c:442)
    ==2161==    by 0xAA8A3: cleanup_firewall (session.c:239)
    ==2161==    by 0xAE483: __connman_session_cleanup (session.c:1814)
    ==2161==    by 0x52427: main (main.c:902)
    ==2161==  Address 0x5321000 is 8 bytes inside a block of size 12 free'd
    ==2161==    at 0x4840B28: free (vg_replace_malloc.c:530)
    ==2161==    by 0x4C9FBB3: g_list_remove (glist.c:521)
    ==2161==    by 0xC6F33: __connman_firewall_remove_rule (firewall.c:360)
    ==2161==    by 0xC720F: __connman_firewall_disable (firewall.c:442)
    ==2161==    by 0xAA8A3: cleanup_firewall (session.c:239)
    ==2161==    by 0xAE483: __connman_session_cleanup (session.c:1814)
    ==2161==    by 0x52427: main (main.c:902)
    ==2161==  Block was alloc'd at
    ==2161==    at 0x483F3EC: malloc (vg_replace_malloc.c:299)
    ==2161==    by 0x4CA90DF: g_malloc (gmem.c:94)
    ==2161==    by 0x4CBEF51: g_slice_alloc (gslice.c:1025)
    ==2161==    by 0x4CA0077: g_list_append (glist.c:261)
    ==2161==    by 0xC6E97: __connman_firewall_add_rule (firewall.c:345)
    ==2161==    by 0xAA807: init_firewall (session.c:215)
    ==2161==    by 0xAE403: __connman_session_init (session.c:1799)
    ==2161==    by 0x522D7: main (main.c:864)
    a5b9ce65
firewall.c 11 KB