Date: Thu, 12 May 2016 04:54:32 +0000 (UTC) From: "Conrad E. Meyer" <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r299513 - head/usr.sbin/rtadvd Message-ID: <201605120454.u4C4sWjI059834@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Thu May 12 04:54:32 2016 New Revision: 299513 URL: https://svnweb.freebsd.org/changeset/base/299513 Log: rtadvd(8): Don't use-after-free This whole block of code as committed fully formed in r224144. I'm not really sure what the intent was, but it seems plausible that !persist ifis could need other member cleanup. Don't free the object until after we've finished cleaning its members. Reported by: Coverity CID: 1006079 Sponsored by: EMC / Isilon Storage Division Modified: head/usr.sbin/rtadvd/config.c Modified: head/usr.sbin/rtadvd/config.c ============================================================================== --- head/usr.sbin/rtadvd/config.c Thu May 12 04:28:22 2016 (r299512) +++ head/usr.sbin/rtadvd/config.c Thu May 12 04:54:32 2016 (r299513) @@ -234,7 +234,6 @@ rm_ifinfo(struct ifinfo *ifi) TAILQ_REMOVE(&ifilist, ifi, ifi_next); syslog(LOG_DEBUG, "<%s>: ifinfo (idx=%d) removed.", __func__, ifi->ifi_ifindex); - free(ifi); } else { /* recreate an empty entry */ update_persist_ifinfo(&ifilist, ifi->ifi_ifname); @@ -278,6 +277,8 @@ rm_ifinfo(struct ifinfo *ifi) } syslog(LOG_DEBUG, "<%s> leave (%s).", __func__, ifi->ifi_ifname); + if (!ifi->ifi_persist) + free(ifi); return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605120454.u4C4sWjI059834>