tags 334292 +patch Thankyou Mr Bug Control Robot The double-free in lftp is caused by the SMTask::Schedule's deleting of deletable tasks.
Basically, it takes the next pointer of the task before deleting it, but deleting the task can also delete other tasks. In the case of a 'put', it seems to quite consistently delete the next task in the chain. Since the memory is still around, and marked as deleteable, it tries to delete it again, and causes the double-free. The below patch fixes this by restarted the Schedule() loop if we've deleted anything and were not at the end of the chain. (It also protects the delete call against being called on 0x0, but that might be a usual idiom in C++.) (I also had a bit of trouble emulating the brace/indentation style.) diff -u lftp-3.3.1.orig/src/SMTask.cc lftp-3.3.1/src/SMTask.cc --- lftp-3.3.1.orig/src/SMTask.cc +++ lftp-3.3.1/src/SMTask.cc @@ -211,7 +211,12 @@ #endif Leave(current); // unmark it running and change current. - delete to_delete; + if(to_delete) + { + delete to_delete; + if( scan != 0) // Side-effects may have boned us + scan = chain; + } if(res==MOVED || to_delete) repeat=true; } The below patch is actually fixing an unitialised value error that valgrind picked up while I was debugging this. diff -u lftp-3.3.1.orig/src/lftp.cc lftp-3.3.1/src/lftp.cc --- lftp-3.3.1.orig/src/lftp.cc +++ lftp-3.3.1/src/lftp.cc @@ -112,6 +112,7 @@ { tty=isatty(0); ctty=(tcgetpgrp(0)!=(pid_t)-1); + add_newline=false; to_free=0; eof_count=0; for_history=0; -- Paul "TBBle" Hampson, [EMAIL PROTECTED] 8th year CompSci/Asian Studies student, ANU Shorter .sig for a more eco-friendly paperless office.
pgpozR23LJYjj.pgp
Description: PGP signature