Commit a5b9ce65 authored by Slava Monich's avatar Slava Monich

[firewall] Fixed use-after-free in __connman_firewall_remove_rule

g_list_previous was accessing the pointer deallocated by g_list_remove:

==2161== Invalid read of size 4
==2161==    at 0xC6F6C: __connman_firewall_remove_rule (firewall.c:356)
==2161==    by 0xC720F: __connman_firewall_disable (firewall.c:442)
==2161==    by 0xAA8A3: cleanup_firewall (session.c:239)
==2161==    by 0xAE483: __connman_session_cleanup (session.c:1814)
==2161==    by 0x52427: main (main.c:902)
==2161==  Address 0x5321000 is 8 bytes inside a block of size 12 free'd
==2161==    at 0x4840B28: free (vg_replace_malloc.c:530)
==2161==    by 0x4C9FBB3: g_list_remove (glist.c:521)
==2161==    by 0xC6F33: __connman_firewall_remove_rule (firewall.c:360)
==2161==    by 0xC720F: __connman_firewall_disable (firewall.c:442)
==2161==    by 0xAA8A3: cleanup_firewall (session.c:239)
==2161==    by 0xAE483: __connman_session_cleanup (session.c:1814)
==2161==    by 0x52427: main (main.c:902)
==2161==  Block was alloc'd at
==2161==    at 0x483F3EC: malloc (vg_replace_malloc.c:299)
==2161==    by 0x4CA90DF: g_malloc (gmem.c:94)
==2161==    by 0x4CBEF51: g_slice_alloc (gslice.c:1025)
==2161==    by 0x4CA0077: g_list_append (glist.c:261)
==2161==    by 0xC6E97: __connman_firewall_add_rule (firewall.c:345)
==2161==    by 0xAA807: init_firewall (session.c:215)
==2161==    by 0xAE403: __connman_session_init (session.c:1799)
==2161==    by 0x522D7: main (main.c:864)
parent 2b8d03ec
......@@ -352,10 +352,11 @@ int __connman_firewall_remove_rule(struct firewall_context *ctx, int id)
GList *list;
int err = -ENOENT;
for (list = g_list_last(ctx->rules); list;
list = g_list_previous(list)) {
rule = list->data;
list = g_list_last(ctx->rules);
while (list) {
GList *prev = g_list_previous(list);
rule = list->data;
if (rule->id == id || id == FW_ALL_RULES) {
ctx->rules = g_list_remove(ctx->rules, rule);
cleanup_fw_rule(rule);
......@@ -364,6 +365,8 @@ int __connman_firewall_remove_rule(struct firewall_context *ctx, int id)
if (id != FW_ALL_RULES)
break;
}
list = prev;
}
return err;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment