diff options
| author | Quentin Young <qlyoung@cumulusnetworks.com> | 2018-04-25 17:16:55 -0400 |
|---|---|---|
| committer | Quentin Young <qlyoung@cumulusnetworks.com> | 2018-04-25 17:20:34 -0400 |
| commit | 08a0e54efae6d79e0b51335e8cd3ad29cb2c3f5b (patch) | |
| tree | f9327d60f09ba1044d0ef77684b0af0325a1fa3d /doc/developer/conf.py | |
| parent | 97722e560ecaf87125aff5a56e247b7952ef8105 (diff) | |
lib: fix heap corruption in stream_fifo_free
When popping a stream from a stream_fifo, the stream->next pointer is
not NULL'd out. If this same stream is subsequently pushed onto a
stream_fifo (either the same one or a different one), because
stream_fifo's use tail insertion the ->next pointer is not updated and
thus will point to whatever the next stream in the first stream_fifo
was. stream_fifo_free does not check the count of the stream_fifo when
freeing its constituent elements, and instead walks the linked list.
Consequently it will continue walking into the first stream_fifo from
which the last stream was popped, freeing each stream contained there.
This leads to use-after-free errors.
This patch makes sure to set the ->next pointer to NULL when doing tail
insertion in stream_fifo_push and when popping a stream from a
stream_fifo.
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
Diffstat (limited to 'doc/developer/conf.py')
0 files changed, 0 insertions, 0 deletions