List:Commits« Previous MessageNext Message »
From:Chad MILLER Date:March 17 2009 7:31pm
Subject:bzr commit into mysql-5.1-bugteam branch (chad:2841) Bug#42675
View as plain text  
#At file:///home/cmiller/work/mysqlbzr/5.1-bugteam--bug42675/ based on revid:patrick.crews@stripped

 2841 Chad MILLER	2009-03-17
      Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \
      	patch enclosed)
        
      One call to my_error_unregister_all() would free pointers, but leave one
      pointer to just-freed memory still assigned.  That's the bug.  Subsequent
      calls of this function would try to follow pointers into deallocated, 
      garbage memory and almost certainly SEGV.
      
      Now, after freeing a linked list, unset the initial pointer.

    modified:
      mysys/my_error.c
=== modified file 'mysys/my_error.c'
--- a/mysys/my_error.c	2009-02-05 06:16:00 +0000
+++ b/mysys/my_error.c	2009-03-17 19:31:07 +0000
@@ -252,11 +252,16 @@ const char **my_error_unregister(int fir
 
 void my_error_unregister_all(void)
 {
-  struct my_err_head    *list, *next;
-  for (list= my_errmsgs_globerrs.meh_next; list; list= next)
+  struct my_err_head *cursor, *saved_next;
+
+  for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next)
   {
-    next= list->meh_next;
-    my_free((uchar*) list, MYF(0));
+	/* We need this ptr, but we're about to free its container, so save it. */
+    saved_next= cursor->meh_next;
+
+    my_free((uchar*) cursor, MYF(0));
   }
+  my_errmsgs_globerrs.meh_next= NULL;  /* Freed in first iteration above. */
+
   my_errmsgs_list= &my_errmsgs_globerrs;
 }


Attachment: [text/bzr-bundle] bzr/chad@mysql.com-20090317193107-cs9c9ufvv3ino37y.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (chad:2841) Bug#42675Chad MILLER17 Mar