[PATCH] Fix double-free conditions in X devd backend
Robert Millan
rmh at freebsd.org
Mon Feb 3 14:25:27 UTC 2014
On 01/02/2014 23:16, Baptiste Daroussin wrote:
> On Sat, Feb 01, 2014 at 01:39:48AM +0100, Robert Millan wrote:
>>
>> Hi Baptiste,
>>
>> Is the devd backend you wrote for X still maintained? If so, I've fixed a
>> few problems (including a 100% reproducible heap corruption!). Shall I send
>> patches your way?
>>
>
> Yes it is please send the patches to the x11@ mailing list CC me .
Okay, here's the first one which fixes three conditions that could lead to
double-free:
- xstrdup(path) before passing it to input_option_new() a second time. This
avoids the potential for double-free when the callee deallocates them.
- Fix another double-free condition: socket_getline() is expected by its caller
to set **out as a pointer to an allocated block whenever it returns a
non-negative value. Therefore do not free() buf when its strlen() is zero.
- The routine in wakeup_handler() ends with a "free(line)" so the `line'
variable must not be tampered with. This issue is 100% reproducible and
in my system results in an X server crash each time a mouse/keyboard is
plugged/unplugged!
--
Robert Millan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: devd_double_free.diff
Type: text/x-patch
Size: 987 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-x11/attachments/20140203/33bc158a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-x11/attachments/20140203/33bc158a/attachment.sig>
More information about the freebsd-x11
mailing list