[PATCH] double free os sess->proxies

Diego Santa Cruz Diego.SantaCruz at spinetix.com
Tue May 21 04:34:13 EDT 2013


Hi all,

We have encountered a bug in free_proxies() in ne_session.c that causes a
double-free or invalid data references in some cases.

As not all callers of free_proxies() set sess->proxies to a new value in all
cases this pointer may be kept when the block has been free'd. For instance
if ne_set_addrlist() is called with n = 0. I think calling
ne_session_system_proxy() may also cause this, although it is less clear.

The attached patch solves this by simply setting sess->proxies to NULL at the
end of free_proxies(). Patch is against 0.29.6.

Best,

Diego

--
Diego Santa Cruz, PhD
Technology Architect
_________________________________
SpinetiX S.A.
Rue des Terreaux 17
1003, Lausanne, Switzerland
T +41 21 341 15 50
F +41 21 311 19 56
diego.santacruz at spinetix.com
http://www.spinetix.com
http://www.youtube.com/SpinetiXTeam
_________________________________



-------------- next part --------------
A non-text attachment was scrubbed...
Name: neon-free_proxies-double-free.patch
Type: application/octet-stream
Size: 299 bytes
Desc: neon-free_proxies-double-free.patch
Url : http://lists.manyfish.co.uk/pipermail/neon/attachments/20130521/19ab623a/attachment.obj 


More information about the neon mailing list