https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255861
Bug ID: 255861
Summary: [PATCH] ngatm/netnatm/msg: Fix a use after free in
DEF_IE_ENCODE
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: b...@freebsd.org
Reporter: lylg...@foxmail.com
Created attachment 224924
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=224924&action=edit
recover error code propagation
Bug File: sys/contrib/ngatm/netnatm/msg/uni_ie.c
In function DEF_IE_ENCODE, the macro START_IE2(...) calls
uni_encode_ie_hdr(msg,...). msg->bug is freed in the path:
uni_encode_ie_hdr(msg,..)->uni_msg_ensure(msg,..)->uni_msg_destroy(m)->free(m->buf),
and uni_msg_extend() returns a error code.
But the error code propagation is truncated by converting uni_msg_ensure() to
void. Then the freed msg-buf is used in the macro SET_IE_LEN(msg) in function
DEF_IE_ENCODE().
My patch recovers the error code propagation to avoid the uaf bug.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
