Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#1547 closed Bug (fixed)

CLI client uses memory after it's been free()d

Reported by: naddy Owned by: charles
Priority: Normal Milestone: 1.41
Component: CLI Version: 1.40
Severity: Normal Keywords:
Cc:

Description

There is a use after free() bug in cli/cli.c r7069 (Transmission 1.40).

In main(), in the showScrape section, a pointer to a string (host) is handed to tr_webRun() for use as an eventual argument to scrapeDoneFunc() ...

tr_webRun( h, url, NULL, scrapeDoneFunc, host );
tr_free( host );
tr_free( url );

... and freed immediately after. However, scrapeDoneFunc() is only called later as part of the scheduled task and by then its argument "host" is an invalid pointer.

A possible fix is to move tr_free(host) into scrapeDoneFunc().

Attachments (1)

cli.diff (593 bytes) - added by naddy 12 years ago.

Download all attachments as: .zip

Change History (5)

Changed 12 years ago by naddy

comment:1 Changed 12 years ago by charles

  • Component changed from Transmission to CLI
  • Milestone changed from None Set to 1.41
  • Owner set to charles
  • Status changed from new to assigned

comment:2 Changed 12 years ago by charles

  • Resolution set to fixed
  • Status changed from assigned to closed

1.4x: r7229

trunk: r7230

comment:3 Changed 12 years ago by charles

  • Summary changed from CLI client use after free() to CLI client uses memory after it's been free()d

comment:4 Changed 12 years ago by charles

fix committed to 1.3x branch in r7277.

Note: See TracTickets for help on using tickets.