diff options
author | David Woodhouse <dwmw2@infradead.org> | 2010-12-06 13:47:27 +0000 |
---|---|---|
committer | Samuel Ortiz <sameo@linux.intel.com> | 2010-12-10 12:42:24 +0100 |
commit | 0d34177752f986982bfe32eab3eb46a86b4228f6 (patch) | |
tree | dfd1bb1ac1927fb0ef279719974a20905b6224fe /plugins | |
parent | c39d46fae83419a9a68cf6a87fc3b52d490a9c97 (diff) | |
download | pacrunner-0d34177752f986982bfe32eab3eb46a86b4228f6.tar.gz |
Fix use-after-free in curl plugin
==14387== Invalid read of size 4
==14387== at 0x4095D3: check_sockets (curl.c:88)
==14387== by 0x4096B9: timeout_callback (curl.c:201)
==14387== by 0x3993A435EA: g_timeout_dispatch (gmain.c:3585)
==14387== by 0x3993A41E32: g_main_context_dispatch (gmain.c:2149)
==14387== by 0x3993A4260F: g_main_context_iterate.clone.5 (gmain.c:2780)
==14387== by 0x3993A42C81: g_main_loop_run (gmain.c:2988)
==14387== by 0x409BD4: main (main.c:173)
==14387== Address 0x5290680 is 16 bytes inside a block of size 32 free'd
==14387== at 0x4A05187: free (vg_replace_malloc.c:325)
==14387== by 0x39A963630F: curl_multi_remove_handle (in /usr/lib64/libcurl.so.4.2.0)
==14387== by 0x4095BE: check_sockets (curl.c:84)
==14387== by 0x4096B9: timeout_callback (curl.c:201)
==14387== by 0x3993A435EA: g_timeout_dispatch (gmain.c:3585)
==14387== by 0x3993A41E32: g_main_context_dispatch (gmain.c:2149)
==14387== by 0x3993A4260F: g_main_context_iterate.clone.5 (gmain.c:2780)
==14387== by 0x3993A42C81: g_main_loop_run (gmain.c:2988)
==14387== by 0x409BD4: main (main.c:173)
==14387==
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/curl.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/plugins/curl.c b/plugins/curl.c index b8e2ff7..5fcf1c5 100644 --- a/plugins/curl.c +++ b/plugins/curl.c @@ -81,9 +81,6 @@ static void check_sockets(CURLM *multi, CURLMcode result, int handles) DBG("finished %s result %d", eff_url, msg->data.result); - curl_multi_remove_handle(multi, easy); - curl_easy_cleanup(easy); - if (download->callback) { if (msg->data.result == 0) { str = g_string_free(download->content, FALSE); @@ -95,6 +92,9 @@ static void check_sockets(CURLM *multi, CURLMcode result, int handles) } else g_string_free(download->content, TRUE); + curl_multi_remove_handle(multi, easy); + curl_easy_cleanup(easy); + g_free(download->url); g_free(download); } while (msgs_left > 0); |