Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp3882802ybc;
        Thu, 21 Nov 2019 15:33:12 -0800 (PST)
X-Google-Smtp-Source: APXvYqwdUUZd81+PMaOqsp9tj57l6eIpjTxwt+752Q5hdT6xtnmrrVPHEAxIB375PFg00c335e6o
X-Received: by 2002:a17:906:af62:: with SMTP id os2mr17762147ejb.105.1574379192018;
        Thu, 21 Nov 2019 15:33:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1574379192; cv=none;
        d=google.com; s=arc-20160816;
        b=aa9iz6fRlfeKJUJMBrn4tyuAC66EW5rEJ9rTYtFfprp/7xMZDirekPq+50s6eqXcmp
         LI+csgh3aOZY2pOe+Fwkzo9cnrcmisC6mgQPv5F2Hh9F0uVP7qFK87fkEneGFzJxOi8k
         AgE8UjQEY/dKGdC4M+Usq5HGYtrzJhUs74fjNO42hJFxQVejRGzlXe3sel0kwYFdUHbu
         NXE+ZGTgQLIYFMDXXBky4uK6PoXSKlMIkuq08xKu6IrM+rzQAifP782Cd+ge4DBVf0u0
         bBknU1XKOXKW0TVD53LCKMbuoLrqiZhYgHIvyhHNaOjNFzYYyJObu5WVCaRQJTADkHXX
         niPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=iw0pv1Z8ZbfRubai5sUv3OW7/dBPKeajoh1nZiWGxGs=;
        b=fIMD+qjEiH+yefINnBbM6McRC5o7ctdmUASLDsCfEmmzr8vztELAX/gIYvCNMsvGbT
         9T2MuWmNw/ZZkOgh1GypbRKBFnKq8lLbfuodtG/CaA1cuVZJutLsydk3U5x+24208qR1
         KE5XwMyAuBIapQ9AOw+ceUo4dD/DVCGeEjPfCv3W0UYG/ZThjG73gYElWa3lpWMiI+3A
         YSLijeNlxtKiHDeVk5AB9PCFAun000Z9uYwRNJ/oD190cv8xr8fB5pXp4Hp9obchIAeH
         RRkcpRJyuMOxfZsCbu0NKfg1uFafmapLU9P61kKlSLm0RrA/ndlwzMyuuAXX5JJSWjNz
         TNng==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id ce16si3165479ejb.118.2019.11.21.15.32.46;
        Thu, 21 Nov 2019 15:33:12 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726265AbfKUXcd (ORCPT <rfc822;yanghc1990@gmail.com>
        + 99 others); Thu, 21 Nov 2019 18:32:33 -0500
Received: from nbd.name ([46.4.11.11]:32850 "EHLO nbd.name"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725956AbfKUXcd (ORCPT <rfc822;linux-wireless@vger.kernel.org>);
        Thu, 21 Nov 2019 18:32:33 -0500
Received: from p5dcfba68.dip0.t-ipconnect.de ([93.207.186.104] helo=[192.168.45.104])
        by ds12 with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.89)
        (envelope-from <john@phrozen.org>)
        id 1iXvw7-0002nq-Ci; Fri, 22 Nov 2019 00:32:31 +0100
Subject: Re: [PATCH] iw: scan: fix double-free in error paths
To:     Brian Norris <briannorris@chromium.org>
Cc:     Johannes Berg <johannes@sipsolutions.net>,
        linux-wireless <linux-wireless@vger.kernel.org>
References: <20191121224139.58281-1-briannorris@chromium.org>
 <e86eb7a3-95e1-f9e1-4ab9-aa38a4f4481e@phrozen.org>
 <CA+ASDXPZA5ObVJmhm11OQFP2ngeDZhsr_FAgxSz8P8QX+e7WEA@mail.gmail.com>
From:   John Crispin <john@phrozen.org>
Message-ID: <2320ec82-d45b-889f-9f6f-0f26700a92b1@phrozen.org>
Date:   Fri, 22 Nov 2019 00:32:30 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <CA+ASDXPZA5ObVJmhm11OQFP2ngeDZhsr_FAgxSz8P8QX+e7WEA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

On 22/11/2019 00:30, Brian Norris wrote:
> On Thu, Nov 21, 2019 at 3:24 PM John Crispin <john@phrozen.org> wrote:
>>
>> On 21/11/2019 23:41, Brian Norris wrote:
>>> Hit when, for instance, I'm stupid enough to type an invalid scan
>>> command:
>>>
>>>     # iw wlan0 scan -h
>>>     BUG at file position lib/msg.c:572:void nlmsg_free(struct nl_msg *)
>>>     iw: lib/msg.c:572: void nlmsg_free(struct nl_msg *): Assertion `0' failed.
>>>     Aborted (core dumped)
>>>
>>> Fixes: 2f74c59cf11e ("iw: fix memory leaks inside handle_scan")
>>> Cc: John Crispin <john@phrozen.org>
>> wasn't me, nobody saw do anything
>> try
>> 367e7dd3 (Amit Khatri            2015-06-26 09:02:36 +0000  451)
>>                  nlmsg_free(ssids);
>> 367e7dd3 (Amit Khatri            2015-06-26 09:02:36 +0000  452)
>>                  nlmsg_free(freqs);
>> ???
> 
> I don't really care about "who", but it's nice to correctly note "what":
> 
> Your patch added 'goto nla_put_failure' in the DONE case (or
> fallthrough from NONE), which introduced the double-free. Previously,
> it was just a 'return', which meant we needed to do the cleanup in
> 'case DONE'.
> 
> For Amit's patch: note how there's a 'return', which makes his code
> the only possible call to nlmsg_free() (i.e., no double-free).
> 
> Brian
> 

point taken, I see it now :(
	John