[firewall] Fixed use-after-free in __connman_firewall_remove_rule

g_list_previous was accessing the pointer deallocated by g_list_remove: ==2161== Invalid read of size 4 ==2161== at 0xC6F6C: __connman_firewall_remove_rule (firewall.c:356) ==2161== by 0xC720F: __connman_firewall_disable (firewall.c:442) ==2161== by 0xAA8A3: cleanup_firewall (session.c:239) ==2161== by 0xAE483: __connman_session_cleanup (session.c:1814) ==2161== by 0x52427: main (main.c:902) ==2161== Address 0x5321000 is 8 bytes inside a block of size 12 free'd ==2161== at 0x4840B28: free (vg_replace_malloc.c:530) ==2161== by 0x4C9FBB3: g_list_remove (glist.c:521) ==2161== by 0xC6F33: __connman_firewall_remove_rule (firewall.c:360) ==2161== by 0xC720F: __connman_firewall_disable (firewall.c:442) ==2161== by 0xAA8A3: cleanup_firewall (session.c:239) ==2161== by 0xAE483: __connman_session_cleanup (session.c:1814) ==2161== by 0x52427: main (main.c:902) ==2161== Block was alloc'd at ==2161== at 0x483F3EC: malloc (vg_replace_malloc.c:299) ==2161== by 0x4CA90DF: g_malloc (gmem.c:94) ==2161== by 0x4CBEF51: g_slice_alloc (gslice.c:1025) ==2161== by 0x4CA0077: g_list_append (glist.c:261) ==2161== by 0xC6E97: __connman_firewall_add_rule (firewall.c:345) ==2161== by 0xAA807: init_firewall (session.c:215) ==2161== by 0xAE403: __connman_session_init (session.c:1799) ==2161== by 0x522D7: main (main.c:864)

[firewall] Fixed use-after-free in __connman_firewall_remove_rule
g_list_previous was accessing the pointer deallocated by g_list_remove: ==2161== Invalid read of size 4 ==2161== at 0xC6F6C: __connman_firewall_remove_rule (firewall.c:356) ==2161== by 0xC720F: __connman_firewall_disable (firewall.c:442) ==2161== by 0xAA8A3: cleanup_firewall (session.c:239) ==2161== by 0xAE483: __connman_session_cleanup (session.c:1814) ==2161== by 0x52427: main (main.c:902) ==2161== Address 0x5321000 is 8 bytes inside a block of size 12 free'd ==2161== at 0x4840B28: free (vg_replace_malloc.c:530) ==2161== by 0x4C9FBB3: g_list_remove (glist.c:521) ==2161== by 0xC6F33: __connman_firewall_remove_rule (firewall.c:360) ==2161== by 0xC720F: __connman_firewall_disable (firewall.c:442) ==2161== by 0xAA8A3: cleanup_firewall (session.c:239) ==2161== by 0xAE483: __connman_session_cleanup (session.c:1814) ==2161== by 0x52427: main (main.c:902) ==2161== Block was alloc'd at ==2161== at 0x483F3EC: malloc (vg_replace_malloc.c:299) ==2161== by 0x4CA90DF: g_malloc (gmem.c:94) ==2161== by 0x4CBEF51: g_slice_alloc (gslice.c:1025) ==2161== by 0x4CA0077: g_list_append (glist.c:261) ==2161== by 0xC6E97: __connman_firewall_add_rule (firewall.c:345) ==2161== by 0xAA807: init_firewall (session.c:215) ==2161== by 0xAE403: __connman_session_init (session.c:1799) ==2161== by 0x522D7: main (main.c:864)
a5b9ce65 · Slava Monich · 2b8d03ec · a5b9ce65
Commit a5b9ce65 authored Feb 13, 2018 by Slava Monich
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

connman/src/firewall.c connman/src/firewall.c +6 -3

No files found.
--- a/connman/src/firewall.c
+++ b/connman/src/firewall.c
@@ -352,10 +352,11 @@ int __connman_firewall_remove_rule(struct firewall_context *ctx, int id)
 	GList *list;
 	int err = -ENOENT;

-	for (list = g_list_last(ctx->rules); list;
-			list = g_list_previous(list)) {
-		rule = list->data;
+	list = g_list_last(ctx->rules);
+	while (list) {
+		GList *prev = g_list_previous(list);

+		rule = list->data;
 		if (rule->id == id || id == FW_ALL_RULES) {
 			ctx->rules = g_list_remove(ctx->rules, rule);
 			cleanup_fw_rule(rule);
@@ -364,6 +365,8 @@ int __connman_firewall_remove_rule(struct firewall_context *ctx, int id)
 			if (id != FW_ALL_RULES)
 				break;
 		}
+
+		list = prev;
 	}

 	return err;