[syslinux:elflink] lwip: Fix use-after-free memory corruption
syslinux-bot for Matt Fleming
matt.fleming at intel.com
Wed Mar 6 09:42:07 PST 2013
Commit-ID: 990f1ace09e79f99a196574f60e5484a5bb4a2d4
Gitweb: http://www.syslinux.org/commit/990f1ace09e79f99a196574f60e5484a5bb4a2d4
Author: Matt Fleming <matt.fleming at intel.com>
AuthorDate: Tue, 19 Feb 2013 12:18:19 +0000
Committer: Matt Fleming <matt.fleming at intel.com>
CommitDate: Tue, 26 Feb 2013 11:29:13 +0000
lwip: Fix use-after-free memory corruption
Set *sem to NULL after free() otherwise calling sys_sem_set_invalid()
will cause us to write into a memory location that has potentially
either been reused for another allocation or contains freelist
metadata.
This manifested as malloc() corruption, because we
sys_sem_set_invalid() was overwriting malloc metadata used for
maintaining the freelist.
Cc: H. Peter Anvin <hpa at zytor.com>
Cc: Eric W. Biederman <ebiederm at xmission.com>
Cc: Gene Cumm <gene.cumm at gmail.com>
Signed-off-by: Matt Fleming <matt.fleming at intel.com>
---
core/lwip/src/arch/sys_arch.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/core/lwip/src/arch/sys_arch.c b/core/lwip/src/arch/sys_arch.c
index 5f8437e..894f6ad 100644
--- a/core/lwip/src/arch/sys_arch.c
+++ b/core/lwip/src/arch/sys_arch.c
@@ -25,6 +25,7 @@ void sys_sem_free(sys_sem_t *sem)
if (!!sem && !!*sem) {
sys_sem_set_invalid(sem);
free(*sem);
+ *sem = NULL;
}
}
More information about the Syslinux-commits
mailing list