From 3c58ea10f90c657d34133d7244a550456bc93cf9 Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Mon, 11 Nov 2013 20:15:53 -0800 Subject: libnl: Fix random segfaults due to memory corruption This is a backport from upstream fixes a severe problem w.r.t memory management, where it would result in random segfaults in applications depending on libnl Signed-off-by: Khem Raj Signed-off-by: Saul Wold --- ...free-caused-by-freeing-link-af_data-in-rt.patch | 41 ++++++++++++++++++++++ meta/recipes-support/libnl/libnl_3.2.22.bb | 4 ++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch (limited to 'meta/recipes-support/libnl') diff --git a/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch b/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch new file mode 100644 index 0000000000..6d2c8ff72d --- /dev/null +++ b/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch @@ -0,0 +1,41 @@ +From 6f37b439af7e96104aadd8ec3ae8d3882df8d102 Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Wed, 21 Aug 2013 14:40:34 +0200 +Subject: [PATCH] fix double free caused by freeing link af_data in + rtnl_link_set_family() + +Introduced by commit 8026fe2e3a9089eff3f5a06ee6e3cc78d96334ed ("link: +Free and realloc af specific data upon rtnl_link_set_family()") + +link->l_af_data[link->l_af_ops->ao_family] is freed here but not set to +zero. That leads to double free made by link_free_data->do_foreach_af. + +Fix this by setting link->l_af_data[link->l_af_ops->ao_family] to zero +rigth after free. + +Signed-off-by: Jiri Pirko +Signed-off-by: Thomas Graf +--- + lib/route/link.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/route/link.c b/lib/route/link.c +index a73e1db..0bb90a0 100644 +--- a/lib/route/link.c ++++ b/lib/route/link.c +@@ -1762,9 +1762,11 @@ void rtnl_link_set_family(struct rtnl_link *link, int family) + link->l_family = family; + link->ce_mask |= LINK_ATTR_FAMILY; + +- if (link->l_af_ops) ++ if (link->l_af_ops) { + af_free(link, link->l_af_ops, + link->l_af_data[link->l_af_ops->ao_family], NULL); ++ link->l_af_data[link->l_af_ops->ao_family] = NULL; ++ } + + link->l_af_ops = af_lookup_and_alloc(link, family); + } +-- +1.8.4 + diff --git a/meta/recipes-support/libnl/libnl_3.2.22.bb b/meta/recipes-support/libnl/libnl_3.2.22.bb index 30f85b2995..3c31b1ac86 100644 --- a/meta/recipes-support/libnl/libnl_3.2.22.bb +++ b/meta/recipes-support/libnl/libnl_3.2.22.bb @@ -12,7 +12,9 @@ DEPENDS = "flex-native bison-native" SRC_URI = "http://www.infradead.org/~tgr/${BPN}/files/${BP}.tar.gz \ file://fix-pktloc_syntax_h-race.patch \ file://fix-pc-file.patch \ - file://fix-lib-cache_mngr.c-two-parentheses-bugs.patch" + file://fix-lib-cache_mngr.c-two-parentheses-bugs.patch \ + file://0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch \ + " SRC_URI[md5sum] = "2e1c889494d274aca24ce5f6a748e66e" SRC_URI[sha256sum] = "c7c5f267dfeae0c1a530bf96b71fb7c8dbbb07d54beef49b6712d8d6166f629b" -- cgit 1.2.3-korg