diff mbox

[v6,for-2.7,02/28] io: avoid double-free when closing QIOChannelBuffer

Message ID 1461751518-12128-3-git-send-email-berrange@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Daniel P. Berrangé April 27, 2016, 10:04 a.m. UTC
The QIOChannelBuffer's close implementation will free
the internal data buffer. It failed to reset the pointer
to NULL though, so when the object is later finalized
it will free it a second time with predictable crash.

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 io/channel-buffer.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Juan Quintela May 4, 2016, 10:43 a.m. UTC | #1
"Daniel P. Berrange" <berrange@redhat.com> wrote:
> The QIOChannelBuffer's close implementation will free
> the internal data buffer. It failed to reset the pointer
> to NULL though, so when the object is later finalized
> it will free it a second time with predictable crash.
>
> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Reviewed-by: Juan Quintela <quintela@redhat.com>
diff mbox

Patch

diff --git a/io/channel-buffer.c b/io/channel-buffer.c
index 3e5117b..43d7959 100644
--- a/io/channel-buffer.c
+++ b/io/channel-buffer.c
@@ -140,6 +140,7 @@  static int qio_channel_buffer_close(QIOChannel *ioc,
     QIOChannelBuffer *bioc = QIO_CHANNEL_BUFFER(ioc);
 
     g_free(bioc->data);
+    bioc->data = NULL;
     bioc->capacity = bioc->usage = bioc->offset = 0;
 
     return 0;