[firewall] Fixed use-after-free in __connman_firewall_remove_rule
g_list_previous was accessing the pointer deallocated by g_list_remove: ==2161== Invalid read of size 4 ==2161== at 0xC6F6C: __connman_firewall_remove_rule (firewall.c:356) ==2161== by 0xC720F: __connman_firewall_disable (firewall.c:442) ==2161== by 0xAA8A3: cleanup_firewall (session.c:239) ==2161== by 0xAE483: __connman_session_cleanup (session.c:1814) ==2161== by 0x52427: main (main.c:902) ==2161== Address 0x5321000 is 8 bytes inside a block of size 12 free'd ==2161== at 0x4840B28: free (vg_replace_malloc.c:530) ==2161== by 0x4C9FBB3: g_list_remove (glist.c:521) ==2161== by 0xC6F33: __connman_firewall_remove_rule (firewall.c:360) ==2161== by 0xC720F: __connman_firewall_disable (firewall.c:442) ==2161== by 0xAA8A3: cleanup_firewall (session.c:239) ==2161== by 0xAE483: __connman_session_cleanup (session.c:1814) ==2161== by 0x52427: main (main.c:902) ==2161== Block was alloc'd at ==2161== at 0x483F3EC: malloc (vg_replace_malloc.c:299) ==2161== by 0x4CA90DF: g_malloc (gmem.c:94) ==2161== by 0x4CBEF51: g_slice_alloc (gslice.c:1025) ==2161== by 0x4CA0077: g_list_append (glist.c:261) ==2161== by 0xC6E97: __connman_firewall_add_rule (firewall.c:345) ==2161== by 0xAA807: init_firewall (session.c:215) ==2161== by 0xAE403: __connman_session_init (session.c:1799) ==2161== by 0x522D7: main (main.c:864)
Showing
Please register or sign in to comment