The realloc is problematic mostly with large packets, as the pointer changes
so what eventually gets free'd is invalid.
Note that ub ptr param in the call will be passed on to a ubus_msg_free(),
right after ubus_msg_ref() finishes.
This bug stayed hidden the same way as the bug in libubus writev_retry().
Since the write/sendmsg function can send about ~200k the ubus_msg_enqueue()
call does not get triggered.
#include "ubusd.h"
-static struct ubus_msg_buf *ubus_msg_unshare(struct ubus_msg_buf *ub)
-{
- ub = realloc(ub, sizeof(*ub) + ub->len);
- if (!ub)
- return NULL;
-
- ub->refcount = 1;
- memcpy(ub + 1, ub->data, ub->len);
- ub->data = (void *) (ub + 1);
- return ub;
-}
-
static struct ubus_msg_buf *ubus_msg_ref(struct ubus_msg_buf *ub)
{
if (ub->refcount == ~0)
- return ubus_msg_unshare(ub);
+ return ubus_msg_new(ub->data, ub->len, false);
ub->refcount++;
return ub;