Navigation Menu

Skip to content

Commit

Permalink
[gsupplicant] Prevent double free of the network add request
Browse files Browse the repository at this point in the history 
Invalid read of size 4
   gsupplicant_interface_add_network_call_free (gsupplicant_interface.c:1148)
   gsupplicant_interface_add_network_call_free1 (gsupplicant_interface.c:1167)
   g_source_callback_unref (gmain.c:1561)
   g_source_destroy_internal.constprop.8 (gmain.c:1207)
   g_main_dispatch (gmain.c:3177)
   g_main_context_dispatch (gmain.c:3769)
   g_main_context_iterate.isra.4 (gmain.c:3840)
   g_main_loop_run (gmain.c:4034)
   main (main.c:866)
 Address 0x5457f2c is 28 bytes inside a block of size 52 free'd
   free (vg_replace_malloc.c:530)
   gsupplicant_interface_add_network_call_free (gsupplicant_interface.c:1159)
   gsupplicant_interface_call_add_network_finish (gsupplicant_interface.c:1185)
   gsupplicant_interface_add_network4 (gsupplicant_interface.c:2559)
   _g_closure_invoke_va (gclosure.c:867)
   g_signal_emit_valist (gsignal.c:3294)
   g_signal_emit (gsignal.c:3441)
   gsupplicant_network_signal_property_change (gsupplicant_network.c:158)
   gsupplicant_network_emit_pending_signals (gsupplicant_network.c:196)
   gsupplicant_network_proxy_created (gsupplicant_network.c:477)
   g_task_return_now (gtask.c:1107)
   ...
  • Loading branch information
@monich
monich committed Mar 1, 2017
1 parent c3882bb commit 08c7949
Showing 1 changed file with 30 additions and 18 deletions.
48 changes: 30 additions & 18 deletions src/gsupplicant_interface.c
View file
Expand Up @@ -1173,35 +1173,47 @@ gsupplicant_interface_call_add_network_finish(
GSupplicantInterfaceAddNetworkCall* call,
const GError* error)
{
if (call->fn && !g_cancellable_is_cancelled(call->cancel)) {
if (call->cancel_id) {
/* In case if the callback calls g_cancellable_cancel() */
g_cancellable_disconnect(call->cancel, call->cancel_id);
call->cancel_id = 0;
/*
* If it's cancelled then gsupplicant_interface_add_network_call_free1
* call has been scheduled and we don't have to do anything here.
*/
if (!g_cancellable_is_cancelled(call->cancel)) {
if (call->fn) {
if (call->cancel_id) {
/* In case if the callback calls g_cancellable_cancel() */
g_cancellable_disconnect(call->cancel, call->cancel_id);
call->cancel_id = 0;
}
call->fn(call->iface, call->cancel, error,
error ? NULL : call->path, call->data);
}
call->fn(call->iface, call->cancel, error, error ? NULL : call->path,
call->data);
gsupplicant_interface_add_network_call_free(call);
}
gsupplicant_interface_add_network_call_free(call);
}

static
void
gsupplicant_interface_call_add_network_finish_error(
GSupplicantInterfaceAddNetworkCall* call)
{
if (call->fn && !g_cancellable_is_cancelled(call->cancel)) {
GError* error = g_error_new(G_IO_ERROR, G_IO_ERROR_FAILED,
"Failed to enable %s", call->path);
if (call->cancel_id) {
/* In case if the callback calls g_cancellable_cancel() */
g_cancellable_disconnect(call->cancel, call->cancel_id);
call->cancel_id = 0;
/*
* If it's cancelled then gsupplicant_interface_add_network_call_free1
* call has been scheduled and we don't have to do anything here.
*/
if (!g_cancellable_is_cancelled(call->cancel)) {
if (call->fn) {
GError* error = g_error_new(G_IO_ERROR, G_IO_ERROR_FAILED,
"Failed to enable %s", call->path);
if (call->cancel_id) {
/* In case if the callback calls g_cancellable_cancel() */
g_cancellable_disconnect(call->cancel, call->cancel_id);
call->cancel_id = 0;
}
call->fn(call->iface, call->cancel, error, NULL, call->data);
g_error_free(error);
}
call->fn(call->iface, call->cancel, error, NULL, call->data);
g_error_free(error);
gsupplicant_interface_add_network_call_free(call);
}
gsupplicant_interface_add_network_call_free(call);
}

static
Expand Down

0 comments on commit 08c7949

Please sign in to comment.