[patch] null after free

John (J5) Palmieri johnp at redhat.com
Mon Oct 4 20:28:46 UTC 2004 

On Mon, 2004-10-04 at 10:27 -0400, John (J5) Palmieri wrote:
> On Sat, 2004-10-02 at 18:59 -0400, Havoc Pennington wrote:
> > On Fri, 2004-10-01 at 16:42 -0400, John (J5) Palmieri wrote:
> > > An unfortunate breakage in glibc's getgrouplist function led me to this
> > > bug in a rarely used error code path.  Basically on errors in the
> > > fill_user_info function there is a double free of the info structure.  I
> > > have a quick fix which nulls out the structure after the free.  This
> > > ensures that double frees don't crash dbus.  This however is a bandaid
> > > and we need to look at why the double free is happening and to determine
> > > which of the frees is the correct one. 
> > > 
> > > The glibc guys took care of the glib bug so no worries there.
> > > 
> > 
> > OK, we should really figure out the real bug instead of applying the
> > bandaid - valgrind should spell it out for you, I would think, if you
> > can reproduce.
> > 
> > Havoc
> 
> I know where it is happening.  I just wasn't sure if it was happening in
> other places and didn't have time to fix it properly.  I thought I would
> get the bandaid out first and report the error while I was tracking down
> the glibc bug.  What I will do, now that I have time, is put asserts in
> the user_info_free function and fix the double frees properly where I
> can find them.  

What is actually happening is that on an error in the fill_user_info
function in dbus-sysdeps.c we are jumping to the failed section which
frees the DBusUserInfo structure:

failed:
  _DBUS_ASSERT_ERROR_IS_SET (error);
  _dbus_user_info_free (info);
  return FALSE;

However this returns FALSE and an error to the caller which then calls
free_user_info (which calls _dbus_user_info_free somewhere down the
line).  Here is an example from dbus-userdb.c
(_dbus_user_database_lookup):

if (!_dbus_user_info_fill_uid (info, uid, error))
  {
    _DBUS_ASSERT_ERROR_IS_SET (error);
    free_user_info (info);
    return NULL;
  }

This is just one example but it happens a couple of times.  The question
is where is it best to free the structure?  The DBusUserInfo field is
passed into fill_user_info so I feel this is not the place it should be
freed.  However if it is not freed there we must make sure the error is
handled everywhere else.  Any opinions?

-- 
John (J5) Palmieri
Associate Software Engineer
Desktop Group
Red Hat, Inc.
Blog: http://martianrock.com

More information about the dbus mailing list