[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#256954: frees wrong memory



Package: cdebconf
Version: 0.65
Severity: serious
Tags: patch

The first time ethdetect calls db_unregister, the read command
fails.  This prevents it from reading parameters, which prevents
it from loading the ne module, which prevents the network from
working, which prevents the installation from succeeding.

I think the read fails because the other end of the pipe closes
because cdebconf crashes because of a bug in
question_owner_delete: if the owner that it is trying to delete is
not last one in the list, it frees the owner field.

The attached, untested patch should fix it, but I'd appreciate a
review.

-- 
Matt Kraai            kraai@ftbfs.org            http://ftbfs.org/
Index: packages/cdebconf/src/question.c
===================================================================
--- packages/cdebconf/src/question.c	(revision 17219)
+++ packages/cdebconf/src/question.c	(working copy)
@@ -122,25 +122,22 @@
 
 void question_owner_delete(struct question *q, const char *owner)
 {
-	struct questionowner **ownerp, *nextp;
+	struct questionowner **ownerp;
 
-	for (ownerp = &q->owners; *ownerp != 0; ownerp = &(*ownerp)->next)
+	for (ownerp = &q->owners; *ownerp != 0;)
 	{
 		if (strcmp((*ownerp)->owner, owner) == 0)
 		{
-			nextp = (*ownerp)->next;
-			if (nextp == 0)
-			{
-				nextp = *ownerp;
-				*ownerp = 0;
-			}
-			else
-			{
-				**ownerp = *nextp;
-			}
-			DELETE(nextp->owner);
-			DELETE(nextp);
+			struct questionowner *currentp = *ownerp;
+
+			*ownerp = currentp->next;
+			DELETE(currentp->owner);
+			DELETE(currentp);
 		}
+		else
+		{
+			ownerp = &(*ownerp)->next;
+		}
 	}
 }
 

Reply to: