Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Sep 2007 22:18:49 GMT
From:      Peter Hunt <peter.hunt@nokia.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/116360: Potential double-free on error when copying IPv6 output options.
Message-ID:  <200709142218.l8EMInjP042742@www.freebsd.org>
Resent-Message-ID: <200709142220.l8EMK1Y1018974@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         116360
>Category:       kern
>Synopsis:       Potential double-free on error when copying IPv6 output options.
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 14 22:20:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Peter Hunt
>Release:        FreeBSD 6.1 RELEASE
>Organization:
Nokia
>Environment:
FreeBSD frente.nes.nokia.com 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May  7 04:42:56 UTC 2006     root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  i386
>Description:
I noticed what I think is a double free problem by code inspection. It appears to be in 6.1 (which I'm using) and HEAD. I have not seen any problem during use.

In ip6_output.c:copypktopts(), if an error occurs while copying the packet options from src to dst, the routine frees all the fields in dst, but does not set them to NULL. It then returns error status.

Some callers of copypktopts() (via in6_setpktopts()) handle the error by calling in6_clearpktopts() on dst, which will try to free the fields again, as they are not NULL.

Specifically, raw_ip6.c:rip6_output() and udp_usrreq.c:udp6_output() both call ip6_setpktopts, passing src and dst pktopts pointers, and handle the error by calling in6_clearpktopts.

Regards,

Peter Hunt
Nokia Enterprise Solutions

>How-To-Repeat:

>Fix:
I think this problem can be solved by having clearpktopts() zero out the fields after freeing them (or calling ip6_initpktopts on dst).


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709142218.l8EMInjP042742>