[network-manager-applet] c-e: fix bad unref causing heap corruption

From: Thomas Haller <thaller src gnome org>
To: commits-list gnome org
Cc:
Subject: [network-manager-applet] c-e: fix bad unref causing heap corruption
Date: Thu, 26 Jan 2017 21:41:50 +0000 (UTC)

commit e0bdcd687064121db35c3cede932f1ab0f157fe9
Author: Jan Alexander Steffens (heftig) <jan steffens gmail com>
Date:   Thu Jan 26 20:35:55 2017 +0100

    c-e: fix bad unref causing heap corruption
    
    The "mac-address" property implemented by a few NMSetting subclasses is
    a string, not a boxed GByteArray.
    
    Replace the g_byte_array_unref with a g_free. On a hunch, also check if
    the returned string is empty instead of just NULL, which might be more
    correct.
    
    Using g_byte_array_unref on a string causes silent heap corruption,
    resulting in a crash somewhere else in malloc_consolidate or similar.
    For me, nm-connection-editor almost always crashed when opening or
    closing the settings for an active bridge connection.
    
    valgrind caught an invalid read done by g_array_unref, but neither gdb
    nor "_MALLOC_CHECK=1 G_SLICE=always-malloc" was any help.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=777787

 src/connection-editor/page-master.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)
---
diff --git a/src/connection-editor/page-master.c b/src/connection-editor/page-master.c
index 42d97da..e73c08f 100644
--- a/src/connection-editor/page-master.c
+++ b/src/connection-editor/page-master.c
@@ -196,16 +196,18 @@ get_device_for_connection (NMClient *client, NMConnection *conn)
        if (   !nm_setting_connection_get_interface_name (s_con)
               && !nm_connection_get_interface_name (conn)) {
                NMSetting *s_hw;
-               GByteArray *mac_address;
+               gchar *mac_address;
 
                s_hw = nm_connection_get_setting_by_name (conn, nm_setting_connection_get_connection_type 
(s_con));
                if (!s_hw || !g_object_class_find_property (G_OBJECT_GET_CLASS (s_hw), "mac-address"))
                        return NULL;
 
                g_object_get (G_OBJECT (s_hw), "mac-address", &mac_address, NULL);
-               if (!mac_address)
+               if (!mac_address || !mac_address[0]) {
+                       g_free (mac_address);
                        return NULL;
-               g_byte_array_unref (mac_address);
+               }
+               g_free (mac_address);
        }
 
        /* OK, now find that device */

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]