#1547 closed Bug (fixed)
CLI client uses memory after it's been free()d
Reported by: | naddy | Owned by: | charles |
---|---|---|---|
Priority: | Normal | Milestone: | 1.41 |
Component: | CLI | Version: | 1.40 |
Severity: | Normal | Keywords: | |
Cc: |
Description
There is a use after free() bug in cli/cli.c r7069 (Transmission 1.40).
In main(), in the showScrape section, a pointer to a string (host) is handed to tr_webRun() for use as an eventual argument to scrapeDoneFunc() ...
tr_webRun( h, url, NULL, scrapeDoneFunc, host ); tr_free( host ); tr_free( url );
... and freed immediately after. However, scrapeDoneFunc() is only called later as part of the scheduled task and by then its argument "host" is an invalid pointer.
A possible fix is to move tr_free(host) into scrapeDoneFunc().
Attachments (1)
Change History (5)
Changed 12 years ago by naddy
comment:1 Changed 12 years ago by charles
- Component changed from Transmission to CLI
- Milestone changed from None Set to 1.41
- Owner set to charles
- Status changed from new to assigned
comment:2 Changed 12 years ago by charles
- Resolution set to fixed
- Status changed from assigned to closed
comment:3 Changed 12 years ago by charles
- Summary changed from CLI client use after free() to CLI client uses memory after it's been free()d
comment:4 Changed 12 years ago by charles
fix committed to 1.3x branch in r7277.
Note: See
TracTickets for help on using
tickets.
1.4x: r7229
trunk: r7230