[syslinux:elflink] lwip: Fix use-after-free memory corruption

syslinux-bot for Matt Fleming matt.fleming at intel.com
Wed Mar 6 09:42:07 PST 2013

Commit-ID:  990f1ace09e79f99a196574f60e5484a5bb4a2d4
Gitweb:     http://www.syslinux.org/commit/990f1ace09e79f99a196574f60e5484a5bb4a2d4
Author:     Matt Fleming <matt.fleming at intel.com>
AuthorDate: Tue, 19 Feb 2013 12:18:19 +0000
Committer:  Matt Fleming <matt.fleming at intel.com>
CommitDate: Tue, 26 Feb 2013 11:29:13 +0000

lwip: Fix use-after-free memory corruption

Set *sem to NULL after free() otherwise calling sys_sem_set_invalid()
will cause us to write into a memory location that has potentially
either been reused for another allocation or contains freelist

This manifested as malloc() corruption, because we
sys_sem_set_invalid() was overwriting malloc metadata used for
maintaining the freelist.

Cc: H. Peter Anvin <hpa at zytor.com>
Cc: Eric W. Biederman <ebiederm at xmission.com>
Cc: Gene Cumm <gene.cumm at gmail.com>
Signed-off-by: Matt Fleming <matt.fleming at intel.com>

 core/lwip/src/arch/sys_arch.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/lwip/src/arch/sys_arch.c b/core/lwip/src/arch/sys_arch.c
index 5f8437e..894f6ad 100644
--- a/core/lwip/src/arch/sys_arch.c
+++ b/core/lwip/src/arch/sys_arch.c
@@ -25,6 +25,7 @@ void sys_sem_free(sys_sem_t *sem)
     if (!!sem && !!*sem) {
+	*sem = NULL;

More information about the Syslinux-commits mailing list