From 46f99b295e59f44dfde50ec90e7c09627d32431e Mon Sep 17 00:00:00 2001 From: "Jan Alexander Steffens (heftig)" Date: Wed, 20 Dec 2017 13:23:12 +0100 Subject: [PATCH 1/2] shared/compat: fix memory handling of nm_setting_vpn_get_*_keys The compat implementations return a (transfer none) strv instead of a (transfer container) one. This has caused double frees in nm-applet: https://bugs.archlinux.org/task/56772 Don't copy the keys and don't free the container later. [thaller@redhat.com: patch adjusted to avoid compiler warning] Patch imported from NetworkManager commit 8ac8c01162235c2c198bfaf25fb7d1a57a595ce5. Fixes: e93ca7fc129ec0f29f5313a3aa12839914df8fa2 (cherry picked from commit 0c90e08f77b71d2bda699cf032fceec0122bbf82) --- shared/nm-utils/nm-compat.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/shared/nm-utils/nm-compat.c b/shared/nm-utils/nm-compat.c index 22ab675d..47035e62 100644 --- a/shared/nm-utils/nm-compat.c +++ b/shared/nm-utils/nm-compat.c @@ -30,7 +30,7 @@ _get_keys_cb (const char *key, const char *val, gpointer user_data) { GPtrArray *a = user_data; - g_ptr_array_add (a, g_strdup (key)); + g_ptr_array_add (a, (gpointer) key); } static const char ** @@ -55,14 +55,6 @@ _get_keys (NMSettingVpn *setting, g_ptr_array_sort (a, nm_strcmp_p); g_ptr_array_add (a, NULL); keys = (const char **) g_ptr_array_free (g_steal_pointer (&a), FALSE); - - /* we need to cache the keys *somewhere*. */ - g_object_set_qdata_full (G_OBJECT (setting), - is_secrets - ? NM_CACHED_QUARK ("libnm._nm_setting_vpn_get_secret_keys") - : NM_CACHED_QUARK ("libnm._nm_setting_vpn_get_data_keys"), - keys, - (GDestroyNotify) g_strfreev); } NM_SET_OUT (out_length, len); -- 2.14.3 From 0d13a8b4064c83146714ecee86b69042aca35f9e Mon Sep 17 00:00:00 2001 From: "Jan Alexander Steffens (heftig)" Date: Thu, 21 Dec 2017 20:36:48 +0100 Subject: [PATCH 2/2] shared/compat: fix memory handling of nm_setting_vpn_get_*_keys() The previous fix was bad because the keys do not come from NMSettingVpn's hash table but are copies that are freed by nm_setting_vpn_foreach_* before it returns. [thaller@redhat.com: import shared code from NetworkManager, merging three patches together.] Fixes: e93ca7fc129ec0f29f5313a3aa12839914df8fa2 Fixes: 0c90e08f77b71d2bda699cf032fceec0122bbf82 https://mail.gnome.org/archives/networkmanager-list/2017-December/msg00069.html https://mail.gnome.org/archives/networkmanager-list/2017-December/msg00070.html (cherry picked from commit a52ccb2fe170558fc0aab4dd1d15ba8808b10951) --- shared/nm-utils/nm-compat.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/shared/nm-utils/nm-compat.c b/shared/nm-utils/nm-compat.c index 47035e62..90328c06 100644 --- a/shared/nm-utils/nm-compat.c +++ b/shared/nm-utils/nm-compat.c @@ -30,7 +30,7 @@ _get_keys_cb (const char *key, const char *val, gpointer user_data) { GPtrArray *a = user_data; - g_ptr_array_add (a, (gpointer) key); + g_ptr_array_add (a, g_strdup (key)); } static const char ** @@ -40,22 +40,37 @@ _get_keys (NMSettingVpn *setting, { guint len; const char **keys = NULL; - gs_unref_ptrarray GPtrArray *a = NULL; + GPtrArray *a; nm_assert (NM_IS_SETTING_VPN (setting)); - a = g_ptr_array_new (); + if (is_secrets) + len = nm_setting_vpn_get_num_secrets (setting); + else + len = nm_setting_vpn_get_num_data_items (setting); + + a = g_ptr_array_sized_new (len + 1); + if (is_secrets) nm_setting_vpn_foreach_secret (setting, _get_keys_cb, a); else nm_setting_vpn_foreach_data_item (setting, _get_keys_cb, a); - len = a->len; - if (a->len) { + len = a->len; + if (len) { g_ptr_array_sort (a, nm_strcmp_p); g_ptr_array_add (a, NULL); - keys = (const char **) g_ptr_array_free (g_steal_pointer (&a), FALSE); - } + keys = g_memdup (a->pdata, a->len * sizeof (gpointer)); + + /* we need to cache the keys *somewhere*. */ + g_object_set_qdata_full (G_OBJECT (setting), + is_secrets + ? NM_CACHED_QUARK ("libnm._nm_setting_vpn_get_secret_keys") + : NM_CACHED_QUARK ("libnm._nm_setting_vpn_get_data_keys"), + g_ptr_array_free (a, FALSE), + (GDestroyNotify) g_strfreev); + } else + g_ptr_array_free (a, TRUE); NM_SET_OUT (out_length, len); return keys; -- 2.14.3