| Message ID | 1487577721-31084-2-git-send-email-zhang.zhanghailiang@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 02/20/2017 04:01 PM, zhanghailiang wrote: > The 'primary_list' and 'secondary_list' members of struct Connection > is not allocated through dynamically g_queue_new(), but we free it by using > g_queue_free(), which will lead to a double-free bug. > > Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com> > --- > net/colo.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/net/colo.c b/net/colo.c > index 6a6eacd..7d5c423 100644 > --- a/net/colo.c > +++ b/net/colo.c > @@ -147,9 +147,7 @@ void connection_destroy(void *opaque) > Connection *conn = opaque; > > g_queue_foreach(&conn->primary_list, packet_destroy, NULL); > - g_queue_free(&conn->primary_list); > g_queue_foreach(&conn->secondary_list, packet_destroy, NULL); > - g_queue_free(&conn->secondary_list); I think we need use g_queue_clear () here. void g_queue_clear (GQueue *queue); Removes all the elements in queue . If queue elements contain dynamically-allocated memory, they should be freed first. Thanks Zhang Chen > g_slice_free(Connection, conn); > } >
On 2017/2/21 10:25, Zhang Chen wrote: > > > On 02/20/2017 04:01 PM, zhanghailiang wrote: >> The 'primary_list' and 'secondary_list' members of struct Connection >> is not allocated through dynamically g_queue_new(), but we free it by using >> g_queue_free(), which will lead to a double-free bug. >> >> Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com> >> --- >> net/colo.c | 2 -- >> 1 file changed, 2 deletions(-) >> >> diff --git a/net/colo.c b/net/colo.c >> index 6a6eacd..7d5c423 100644 >> --- a/net/colo.c >> +++ b/net/colo.c >> @@ -147,9 +147,7 @@ void connection_destroy(void *opaque) >> Connection *conn = opaque; >> >> g_queue_foreach(&conn->primary_list, packet_destroy, NULL); >> - g_queue_free(&conn->primary_list); >> g_queue_foreach(&conn->secondary_list, packet_destroy, NULL); >> - g_queue_free(&conn->secondary_list); > > I think we need use g_queue_clear () here. > Ha, you are right, my original modification will introduce memory leak. Will fix in next version. > void > g_queue_clear (GQueue *queue); > Removes all the elements in queue . If queue elements contain > dynamically-allocated memory, they should be freed first. > > Thanks > Zhang Chen > >> g_slice_free(Connection, conn); >> } >> >
diff --git a/net/colo.c b/net/colo.c index 6a6eacd..7d5c423 100644 --- a/net/colo.c +++ b/net/colo.c @@ -147,9 +147,7 @@ void connection_destroy(void *opaque) Connection *conn = opaque; g_queue_foreach(&conn->primary_list, packet_destroy, NULL); - g_queue_free(&conn->primary_list); g_queue_foreach(&conn->secondary_list, packet_destroy, NULL); - g_queue_free(&conn->secondary_list); g_slice_free(Connection, conn); }
The 'primary_list' and 'secondary_list' members of struct Connection is not allocated through dynamically g_queue_new(), but we free it by using g_queue_free(), which will lead to a double-free bug. Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com> --- net/colo.c | 2 -- 1 file changed, 2 deletions(-)