GNOME Bugzilla – Bug 756380
Possible double free with SettingIPConfig.get_address using Python gi
Last modified: 2015-10-12 15:37:49 UTC
The following Python gi program crashes likely due to double free. =========== #!/usr/bin/python3 import gi gi.require_version('NM', '1.0') from gi.repository import NM as nm for _ in range(10000): settings = nm.SettingIP4Config.new() address = nm.IPAddress.new(2, '192.168.0.1', 24) settings.add_address(address) settings.get_address(0) =========== With following message: =========== (process:6088): libnm-CRITICAL **: nm_ip_address_unref: assertion 'address->refcount > 0' failed Segmentation fault =========== System information: OS: Debian GNU/Linux Sid network-manager: 1.0.6-1 (from repository packages) python3-gi: 3.18.0-1 (from repository packages)
Created attachment 313105 [details] [review] [PATCH] libnm: add missing GObject introspection annotations The attached patch should fix the problem.
(In reply to Beniamino Galvani from comment #1) > Created attachment 313105 [details] [review] [review] > [PATCH] libnm: add missing GObject introspection annotations > > The attached patch should fix the problem. LGTM. (Jirka was also looking into this...)
nm_setting_ip_config_get_address() missed introspection annotation, which resulted in Python releasing the address. And then double-free occured when NM released the address again. Already pushed: master: 237030c libnm: specify (transfer none) introspection annotation (bgo #756380) nm-1-0: ba46efd libnm: specify (transfer none) introspection annotation (bgo #756380)
I confirm that the problem is indeed fixed by applying the patch on 1.0.6. I checked for both get_address() and get_route() calls. Thank you for the quick fix and the awesome NetworkManager.