Module Name: src
Committed By: christos
Date: Wed Jun 12 01:32:30 UTC 2019
Modified Files:
src/sys/netipsec: key.c
Log Message:
Fix double free: key_setsaval() free's newsav by calling key_freesaval()
and key_api_update() calls key_delsav() when key_setsaval() fails which
calls key_freesaval() again...
To generate a diff of this commit:
cvs rdiff -u -r1.261 -r1.262 src/sys/netipsec/key.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.261 src/sys/netipsec/key.c:1.262
--- src/sys/netipsec/key.c:1.261 Sat Jan 26 21:08:48 2019
+++ src/sys/netipsec/key.c Tue Jun 11 21:32:30 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.261 2019/01/27 02:08:48 pgoyette Exp $ */
+/* $NetBSD: key.c,v 1.262 2019/06/12 01:32:30 christos Exp $ */
/* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.261 2019/01/27 02:08:48 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.262 2019/06/12 01:32:30 christos Exp $");
/*
* This code is referred to RFC 2367
@@ -5753,7 +5753,7 @@ key_api_update(struct socket *so, struct
error = key_setsaval(newsav, m, mhp);
if (error) {
- key_delsav(newsav);
+ kmem_free(newsav, sizeof(*newsav));
goto error;
}
