tags 334292 +patch Thankyou Mr Bug Control Robot The double-free in lftp is caused by the SMTask::Schedule's deleting of deletable tasks.
Basically, it takes the next pointer of the task before deleting it,
but deleting the task can also delete other tasks. In the case of
a 'put', it seems to quite consistently delete the next task in the
chain. Since the memory is still around, and marked as deleteable,
it tries to delete it again, and causes the double-free.
The below patch fixes this by restarted the Schedule() loop if we've
deleted anything and were not at the end of the chain. (It also
protects the delete call against being called on 0x0, but that might
be a usual idiom in C++.)
(I also had a bit of trouble emulating the brace/indentation style.)
diff -u lftp-3.3.1.orig/src/SMTask.cc lftp-3.3.1/src/SMTask.cc
--- lftp-3.3.1.orig/src/SMTask.cc
+++ lftp-3.3.1/src/SMTask.cc
@@ -211,7 +211,12 @@
#endif
Leave(current); // unmark it running and change current.
- delete to_delete;
+ if(to_delete)
+ {
+ delete to_delete;
+ if( scan != 0) // Side-effects may have boned us
+ scan = chain;
+ }
if(res==MOVED || to_delete)
repeat=true;
}
The below patch is actually fixing an unitialised value error
that valgrind picked up while I was debugging this.
diff -u lftp-3.3.1.orig/src/lftp.cc lftp-3.3.1/src/lftp.cc
--- lftp-3.3.1.orig/src/lftp.cc
+++ lftp-3.3.1/src/lftp.cc
@@ -112,6 +112,7 @@
{
tty=isatty(0);
ctty=(tcgetpgrp(0)!=(pid_t)-1);
+ add_newline=false;
to_free=0;
eof_count=0;
for_history=0;
--
Paul "TBBle" Hampson, [EMAIL PROTECTED]
8th year CompSci/Asian Studies student, ANU
Shorter .sig for a more eco-friendly paperless office.
pgpozR23LJYjj.pgp
Description: PGP signature
