[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [patch #7088] DNS with custom malloc/realloc contains a dou
|
From: |
Ken Smith |
|
Subject: |
[lwip-devel] [patch #7088] DNS with custom malloc/realloc contains a double free in RAM pbuf realloc |
|
Date: |
Tue, 09 Feb 2010 21:55:10 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/4.0.305.0 Safari/532.9 |
URL:
<http://savannah.nongnu.org/patch/?7088>
Summary: DNS with custom malloc/realloc contains a double
free in RAM pbuf realloc
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: kensmith
Submitted on: Tue 09 Feb 2010 09:55:09 PM GMT
Category: None
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Details:
I am using the raw DNS API and have #define'ed MEM_LIBC_MALLOC. I have
custom implementations of malloc and realloc. My realloc implementation, like
the standard C implementation, may change the address of the allocation. Here
is the call stack that gets into a double free situation.
dns_gethosbyname
dns_enqueue
dns_check_entry
dns_send
p is a RAM pbuf
p is pbuf_realloced
for RAM pbufs, pbuf_realloc calls mem_realloc
which my implementation replaces with a
custom realloc
p is freed (this is the second free since
realloc performed a free)
The newly allocated memory has a different address but that address is not
given to the caller. The original p is freed so the caller is holding invalid
memory and dns_send calls free on an already freed buffer.
Please find attached a patch which resolves this issue by changing the
interface to pbuf_realloc.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Tue 09 Feb 2010 09:55:09 PM GMT Name: pbuf-realloc.patch Size: 12kB
By: kensmith
<http://savannah.nongnu.org/patch/download.php?file_id=19666>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/patch/?7088>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [patch #7088] DNS with custom malloc/realloc contains a double free in RAM pbuf realloc,
Ken Smith <=
- [lwip-devel] [patch #7088] DNS with custom malloc/realloc contains a double free in RAM pbuf realloc, Kieran Mansley, 2010/02/11
- [lwip-devel] [patch #7088] DNS with custom malloc/realloc contains a double free in RAM pbuf realloc, Simon Goldschmidt, 2010/02/11
- [lwip-devel] [patch #7088] Support for mem_realloc moving memory, Simon Goldschmidt, 2010/02/12
- [lwip-devel] [patch #7088] Support for mem_realloc moving memory, Simon Goldschmidt, 2010/02/17
- [lwip-devel] [patch #7088] Support for mem_realloc moving memory, Ken Smith, 2010/02/17
- [lwip-devel] [patch #7088] Support for mem_realloc moving memory, Simon Goldschmidt, 2010/02/18
- [lwip-devel] [patch #7088] Support for mem_realloc moving memory, Kieran Mansley, 2010/02/18
- [lwip-devel] [patch #7088] Support for mem_realloc moving memory, Ken Smith, 2010/02/18