summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOpenGnSys Support Team <soporte-og@soleta.eu>2021-12-22 17:42:24 +0100
committerOpenGnSys Support Team <soporte-og@soleta.eu>2021-12-23 15:33:29 +0100
commit4e2ef1a13e79ad7c9a9b82d55aad384fbdb91b99 (patch)
tree5e8026bb4b40eb166295f1083776a6498cd4f001
parent216986e8481c81cd81a14138f5f7076c495bb2b4 (diff)
#1067 fix use-after-free in deliver pending command
Do not release the json object twice, once from og_send_request() and again og_cmd_free(). Valgrind reports: ==11885== Invalid read of size 8 ==11885== at 0x117B9A: json_decref (jansson.h:128) ==11885== by 0x117B9A: og_cmd_free (rest.c:2409) ==11885== by 0x113465: og_agent_deliver_pending_cmd (core.c:211) ==11885== by 0x113465: og_agent_read_cb (core.c:256) ==11885== by 0x4E41D72: ev_invoke_pending (in /usr/lib/x86_64-linux-gnu/libev.so.4.0.0) ==11885== by 0x4E453DD: ev_run (in /usr/lib/x86_64-linux-gnu/libev.so.4.0.0) ==11885== by 0x110C2D: ev_loop (ev.h:835) ==11885== by 0x110C2D: main (main.c:104) ==11885== Address 0x8e7e988 is 8 bytes inside a block of size 72 free'd ==11885== at 0x4C32D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11885== by 0x117437: json_decref (jansson.h:129) ==11885== by 0x117437: og_send_request (rest.c:330) ==11885== by 0x113454: og_agent_deliver_pending_cmd (core.c:208) ==11885== by 0x113454: og_agent_read_cb (core.c:256) ==11885== by 0x4E41D72: ev_invoke_pending (in /usr/lib/x86_64-linux-gnu/libev.so.4.0.0) ==11885== by 0x4E453DD: ev_run (in /usr/lib/x86_64-linux-gnu/libev.so.4.0.0) ==11885== by 0x110C2D: ev_loop (ev.h:835) ==11885== by 0x110C2D: main (main.c:104) ==11885== Block was alloc'd at ==11885== at 0x4C31B0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11885== by 0x526461A: json_object (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.11.0) ==11885== by 0x116A07: og_cmd_legacy_image_restore (rest.c:2627) ==11885== by 0x116A07: og_cmd_legacy (rest.c:2757) ==11885== by 0x116A07: og_queue_task_command (rest.c:2848) ==11885== by 0x118284: og_dbi_queue_command (rest.c:3109) ==11885== by 0x118284: og_schedule_run (rest.c:3190) ==11885== by 0x1147B9: og_agent_timer_cb (schedule.c:445) ==11885== by 0x4E41D72: ev_invoke_pending (in /usr/lib/x86_64-linux-gnu/libev.so.4.0.0) ==11885== by 0x4E453DD: ev_run (in /usr/lib/x86_64-linux-gnu/libev.so.4.0.0) ==11885== by 0x110C2D: ev_loop (ev.h:835) ==11885== by 0x110C2D: main (main.c:104)
Diffstat
-rw-r--r--src/core.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/src/core.c b/src/core.c
index ad7799b..0f95ad9 100644
--- a/src/core.c
+++ b/src/core.c
@@ -205,6 +205,7 @@ static void og_agent_deliver_pending_cmd(struct og_client *cli)
return;
}
+ json_incref(cmd->json);
og_send_request(cmd->method, cmd->type, &cmd->params, cmd->json);
cli->last_cmd_id = cmd->id;