[PATCH] client: don`t clear cl->dispatch

wojciech.jowsa at gmail.com wojciech.jowsa at gmail.com
Mon Oct 26 04:45:27 EDT 2020


From: Wojciech Jowsa <wojciech.jowsa at gmail.com>

A segfault occurs in ubus_cmp_id when a client
tries to subscribe to an ubus object after the
object was removed and added again. When the ubus
object is removed then a client subcribed to
this object in notified about that. This causes
following functon calls
uh_ubus_subscription_notification_remove_cb->
uh_request_done->memset(&cl->dispatch,..)
When the object is added again and the client
subscribes to it then following funcation are
called ubus_add_object_cb->
avl_insert->avl_find_rec-> ubus_cmp_id.
Ubus_cmp_id tries to compare keys by
dereferencing pointers but one of the pointers
was previoulsy zeroed in uh_request_done.

Signed-off-by: Wojciech Jowsa <wojciech.jowsa at gmail.com>
---
 client.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/client.c b/client.c
index 6233d01..45cd591 100644
--- a/client.c
+++ b/client.c
@@ -125,7 +125,6 @@ void uh_request_done(struct client *cl)
 	uh_chunk_eof(cl);
 	uh_dispatch_done(cl);
 	blob_buf_init(&cl->hdr_response, 0);
-	memset(&cl->dispatch, 0, sizeof(cl->dispatch));
 
 	if (!conf.http_keepalive || cl->request.connection_close)
 		return uh_connection_close(cl);
-- 
2.25.1




More information about the openwrt-devel mailing list