After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 753184 - Use-after-free in get_nic_information
Use-after-free in get_nic_information
Status: RESOLVED FIXED
Product: gnome-nettool
Classification: Applications
Component: general
3.8.x
Other All
: Normal normal
: ---
Assigned To: Germán Poo-Caamaño
Rodrigo Moya
Depends on:
Blocks:
 
 
Reported: 2015-08-03 14:59 UTC by josselin.feist
Modified: 2017-10-03 20:07 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Fix user-after-free variable (774 bytes, patch)
2017-10-03 20:07 UTC, Germán Poo-Caamaño 		committed Details | Review

Description josselin.feist 2015-08-03 14:59:51 UTC 
Hi,

I think that I have found a use-after-free in gnome-nettool (version 3.8.1).

The vuln is located in the fonction get_nic_information (info.c).

The chunk allocated at line 422 :
ip = g_new0 (InfoIpAddr, 1);

is freed during the call to info_ip_addr (call in line 441)
info_ip_addr_free (ip);
 
But he is used at line 481 :
ip->ip_bcast = g_strdup ("");

If the condition (netload.if_flags & (1L << GLIBTOP_IF_FLAGS_LOOPBACK)), line 477 is evaluated to true

The vulnerability was found by my static binary analyzer gueb (that will become open-source soon)
Because I found it with a static analysis, I have not a testcase, but by reading the source code, the path leading the to use-after-free seems not so hard to trigger

Best regards,
Josselin Feist
Comment 1 Germán Poo-Caamaño 2017-10-03 20:07:31 UTC 
The following fix has been pushed:
bccd529 Fix user-after-free variable
Comment 2 Germán Poo-Caamaño 2017-10-03 20:07:40 UTC 
Created attachment 360871 [details] [review]
Fix user-after-free variable