search

aliyun / iotkit-embedded

高速镜像: https://code.aliyun.com/linkkit/c-sdk
Apache License 2.0
496 stars 252 forks source link

Double Free 问题 #79

Closed murphyzhao closed 5 years ago

murphyzhao commented 5 years ago

在 OTA 成功后,释放 MD5 出现 double free 问题

[inf] httpclient_common(828): close http channel
[inf] _network_ssl_disconnect(515): ssl_disconnect
[dbg] httpclient_close(774): client disconnected
mqtt_client|267 :: h_ota:0x0xc07a30
[dbg] IOT_OTA_Ioctl(802): origin=7c985ce504652de64b548cd9e1fe44af, now=7c985ce504652de64b548cd9e1fe44af
mqtt_client|273 :: The firmware is valid
mqtt_client|274 :: h_ota:0x0xc07a30
mqtt_client|284 :: mqtt client will exit...
mqtt_client|291 :: mqtt client free h_ota...
mqtt_client|292 :: h_ota:0x0xc07a30
[err] IOT_OTA_Deinit(356): handle free signal
[err] IOT_OTA_Deinit(360): handle free ch_fetch
[err] IOT_OTA_Deinit(363): handle free md5,0x0xc0c690
*** Error in `./output/release/bin/ota_mqtt-example': double free or corruption (fasttop): 0x0000000000c0c690 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f39cf0dd7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f39cf0e637a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f39cf0ea53c]
./output/release/bin/ota_mqtt-example[0x411cea]
./output/release/bin/ota_mqtt-example(IOT_OTA_Deinit+0x117)[0x4138f8]
./output/release/bin/ota_mqtt-example(mqtt_client+0x96f)[0x40ad60]
./output/release/bin/ota_mqtt-example(main+0x62)[0x409b5b]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f39cf086830]
./output/release/bin/ota_mqtt-example(_start+0x29)[0x409e59]
======= Memory map: ========
murphyzhao commented 5 years ago

修复方式:

释放内存后,置为 NULL

ota.c

int IOT_OTA_Ioctl(void *handle, IOT_OTA_CmdType_t type, void *buf, size_t buf_len)
{
 ...
 ...

    case IOT_OTAG_CHECK_FIRMWARE:
        if ((4 != buf_len) || (0 != ((unsigned long)buf & 0x3))) {
            OTA_LOG_ERROR("Invalid parameter");
            h_ota->err = IOT_OTAE_INVALID_PARAM;
            return -1;
        } else if (h_ota->state != IOT_OTAS_FETCHED) {
            h_ota->err = IOT_OTAE_INVALID_STATE;
            OTA_LOG_ERROR("Firmware can be checked in IOT_OTAS_FETCHED state only");
            return -1;
        } else {
            char md5_str[33];
            otalib_MD5Finalize(h_ota->md5, md5_str);
            OTA_LOG_DEBUG("origin=%s, now=%s", h_ota->md5sum, md5_str);
            if (0 == strcmp(h_ota->md5sum, md5_str)) {
                *((uint32_t *)buf) = 1;
            } else {
                *((uint32_t *)buf) = 0;
            }
            memset(h_ota->md5sum, 0x0, 33);
            otalib_MD5Deinit(h_ota->md5);

            h_ota->md5 = NULL;
            return 0;
murphyzhao commented 5 years ago

最新版本中已经修复