From 46f99b295e59f44dfde50ec90e7c09627d32431e Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
Date: Wed, 20 Dec 2017 13:23:12 +0100
Subject: [PATCH 1/2] shared/compat: fix memory handling of
nm_setting_vpn_get_*_keys
The compat implementations return a (transfer none) strv instead of a
(transfer container) one. This has caused double frees in nm-applet:
https://bugs.archlinux.org/task/56772
Don't copy the keys and don't free the container later.
[thaller@redhat.com: patch adjusted to avoid compiler warning]
Patch imported from NetworkManager commit 8ac8c01162235c2c198bfaf25fb7d1a57a595ce5.
Fixes: e93ca7fc129ec0f29f5313a3aa12839914df8fa2
(cherry picked from commit 0c90e08f77b71d2bda699cf032fceec0122bbf82)
---
shared/nm-utils/nm-compat.c | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/shared/nm-utils/nm-compat.c b/shared/nm-utils/nm-compat.c
index 22ab675d..47035e62 100644
--- a/shared/nm-utils/nm-compat.c
+++ b/shared/nm-utils/nm-compat.c
@@ -30,7 +30,7 @@ _get_keys_cb (const char *key, const char *val, gpointer user_data)
{
GPtrArray *a = user_data;
- g_ptr_array_add (a, g_strdup (key));
+ g_ptr_array_add (a, (gpointer) key);
}
static const char **
@@ -55,14 +55,6 @@ _get_keys (NMSettingVpn *setting,
g_ptr_array_sort (a, nm_strcmp_p);
g_ptr_array_add (a, NULL);
keys = (const char **) g_ptr_array_free (g_steal_pointer (&a), FALSE);
-
- /* we need to cache the keys *somewhere*. */
- g_object_set_qdata_full (G_OBJECT (setting),
- is_secrets
- ? NM_CACHED_QUARK ("libnm._nm_setting_vpn_get_secret_keys")
- : NM_CACHED_QUARK ("libnm._nm_setting_vpn_get_data_keys"),
- keys,
- (GDestroyNotify) g_strfreev);
}
NM_SET_OUT (out_length, len);
--
2.14.3
From 0d13a8b4064c83146714ecee86b69042aca35f9e Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
Date: Thu, 21 Dec 2017 20:36:48 +0100
Subject: [PATCH 2/2] shared/compat: fix memory handling of
nm_setting_vpn_get_*_keys()
The previous fix was bad because the keys do not come from NMSettingVpn's hash
table but are copies that are freed by nm_setting_vpn_foreach_* before
it returns.
[thaller@redhat.com: import shared code from NetworkManager, merging
three patches together.]
Fixes: e93ca7fc129ec0f29f5313a3aa12839914df8fa2
Fixes: 0c90e08f77b71d2bda699cf032fceec0122bbf82
https://mail.gnome.org/archives/networkmanager-list/2017-December/msg00069.html
https://mail.gnome.org/archives/networkmanager-list/2017-December/msg00070.html
(cherry picked from commit a52ccb2fe170558fc0aab4dd1d15ba8808b10951)
---
shared/nm-utils/nm-compat.c | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/shared/nm-utils/nm-compat.c b/shared/nm-utils/nm-compat.c
index 47035e62..90328c06 100644
--- a/shared/nm-utils/nm-compat.c
+++ b/shared/nm-utils/nm-compat.c
@@ -30,7 +30,7 @@ _get_keys_cb (const char *key, const char *val, gpointer user_data)
{
GPtrArray *a = user_data;
- g_ptr_array_add (a, (gpointer) key);
+ g_ptr_array_add (a, g_strdup (key));
}
static const char **
@@ -40,22 +40,37 @@ _get_keys (NMSettingVpn *setting,
{
guint len;
const char **keys = NULL;
- gs_unref_ptrarray GPtrArray *a = NULL;
+ GPtrArray *a;
nm_assert (NM_IS_SETTING_VPN (setting));
- a = g_ptr_array_new ();
+ if (is_secrets)
+ len = nm_setting_vpn_get_num_secrets (setting);
+ else
+ len = nm_setting_vpn_get_num_data_items (setting);
+
+ a = g_ptr_array_sized_new (len + 1);
+
if (is_secrets)
nm_setting_vpn_foreach_secret (setting, _get_keys_cb, a);
else
nm_setting_vpn_foreach_data_item (setting, _get_keys_cb, a);
- len = a->len;
- if (a->len) {
+ len = a->len;
+ if (len) {
g_ptr_array_sort (a, nm_strcmp_p);
g_ptr_array_add (a, NULL);
- keys = (const char **) g_ptr_array_free (g_steal_pointer (&a), FALSE);
- }
+ keys = g_memdup (a->pdata, a->len * sizeof (gpointer));
+
+ /* we need to cache the keys *somewhere*. */
+ g_object_set_qdata_full (G_OBJECT (setting),
+ is_secrets
+ ? NM_CACHED_QUARK ("libnm._nm_setting_vpn_get_secret_keys")
+ : NM_CACHED_QUARK ("libnm._nm_setting_vpn_get_data_keys"),
+ g_ptr_array_free (a, FALSE),
+ (GDestroyNotify) g_strfreev);
+ } else
+ g_ptr_array_free (a, TRUE);
NM_SET_OUT (out_length, len);
return keys;
--
2.14.3