From: Alex Riesen <raa.lkml@gmail.com>
To: git@vger.kernel.org
Cc: Dave Jones <davej@redhat.com>, Junio C Hamano <junkio@cox.net>
Subject: [PATCH] Fix use after free() in builtin-fetch
Date: Mon, 28 Apr 2008 22:23:35 +0200 [thread overview]
Message-ID: <20080428202335.GA10600@steel.home> (raw)
In-Reply-To: <20080428184138.GA30702@redhat.com>
As reported by Dave Jones:
Since master.kernel.org updated to latest, I noticed that I could crash
git-fetch by doing this..
export KERNEL=/pub/scm/linux/kernel/git/
git fetch $KERNEL/torvalds/linux-2.6 master:linus
(gdb) bt
0 0x000000349fd6d44b in free () from /lib64/libc.so.6
1 0x000000000048f4eb in transport_unlock_pack (transport=0x7ce530) at transport.c:811
2 0x000000349fd31b25 in exit () from /lib64/libc.so.6
3 0x00000000004043d8 in handle_internal_command (argc=3, argv=0x7fffea4449f0) at git.c:379
4 0x0000000000404547 in main (argc=3, argv=0x7fffea4449f0) at git.c:443
5 0x000000349fd1c784 in __libc_start_main () from /lib64/libc.so.6
6 0x0000000000403ef9 in ?? ()
7 0x00007fffea4449d8 in ?? ()
8 0x0000000000000000 in ?? ()
I then remembered, my .bashrc has this..
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
which is handy for showing up such bugs.
More info on this glibc feature is at http://udrepper.livejournal.com/11429.html
Signed-off-by: Alex Riesen <raa.lkml@gmail.com>
---
Dave Jones, Mon, Apr 28, 2008 20:41:38 +0200:
> (gdb) bt
> #0 0x000000349fd6d44b in free () from /lib64/libc.so.6
> #1 0x000000000048f4eb in transport_unlock_pack (transport=0x7ce530) at transport.c:811
> #2 0x000000349fd31b25 in exit () from /lib64/libc.so.6
atexit strikes again. Besides, I believe, do_fetch has no bussiness in
deallocation of resources it did not allocate.
builtin-fetch.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/builtin-fetch.c b/builtin-fetch.c
index 139a6b1..167f948 100644
--- a/builtin-fetch.c
+++ b/builtin-fetch.c
@@ -577,8 +577,6 @@ static int do_fetch(struct transport *transport,
free_refs(ref_map);
}
- transport_disconnect(transport);
-
return 0;
}
@@ -599,6 +597,7 @@ int cmd_fetch(int argc, const char **argv, const char *prefix)
int i;
static const char **refs = NULL;
int ref_nr = 0;
+ int exit_code;
/* Record the command line for the reflog */
strbuf_addstr(&default_rla, "fetch");
@@ -652,6 +651,9 @@ int cmd_fetch(int argc, const char **argv, const char *prefix)
signal(SIGINT, unlock_pack_on_signal);
atexit(unlock_pack);
- return do_fetch(transport,
+ exit_code = do_fetch(transport,
parse_fetch_refspec(ref_nr, refs), ref_nr);
+ transport_disconnect(transport);
+ transport = NULL;
+ return exit_code;
}
--
1.5.5.1.118.g6dd1b6.dirty
next prev parent reply other threads:[~2008-04-28 20:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-28 18:41 git-fetch segfault in git 1.5.5.1 Dave Jones
2008-04-28 20:23 ` Alex Riesen [this message]
2008-04-29 7:30 ` [PATCH] Fix use after free() in builtin-fetch Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080428202335.GA10600@steel.home \
--to=raa.lkml@gmail.com \
--cc=davej@redhat.com \
--cc=git@vger.kernel.org \
--cc=junkio@cox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).