DropOldData can be made to dereference a free()d
pointer, resulting in a segfault. (note this is a
different bug to the one fixed by patch number 834192)
The bug occurs if the block beginning at line 330 of
bandwidthd.c (in release 1.1.7) unlinks and frees the
second node in the IPDataStore linked list. Unlinking
the second node causes the while loop at line 328 to
process the first node in the list again (due to the
"rewind" at line 337).
The trouble starts with the test on line 330, which
detects whether we're processing the first node by
checking if PrevDataStore is null. In this particular
scenario, PrevDataStore is non-null, even though we are
processing the first node.
The code will then attempt to unlink the first node,
which results in DataStore pointing at free()d memory,
causing a segfault.
One fix is to insert a 'break' at line 338 to avoid the
unnecessary trip around the loop:
--- bandwidthd-1.1.7/bandwidthd.c Tue Dec 2
+++ bandwidthd-1.1.7-hr/bandwidthd.c Fri Jan 2
@@ -334,7 +334,7 @@
free(DataStore->FirstBlock->Data); // Free the memory
PrevDataStore; // Rewind
back to the prev data store so the move next below
doesn't skip a node
+ break; // move on to
the next block
Happy new year, all.