svn commit: r299513 - head/usr.sbin/rtadvd

[Conrad E. Meyer]

Author: cem
Date: Thu May 12 04:54:32 2016
New Revision: 299513
URL: https://svnweb.freebsd.org/changeset/base/299513

Log:
  rtadvd(8): Don't use-after-free
  
  This whole block of code as committed fully formed in r224144.  I'm not really
  sure what the intent was, but it seems plausible that !persist ifis could need
  other member cleanup.  Don't free the object until after we've finished
  cleaning its members.
  
  Reported by:  Coverity
  CID:          1006079
  Sponsored by: EMC / Isilon Storage Division

Modified:
  head/usr.sbin/rtadvd/config.c

Modified: head/usr.sbin/rtadvd/config.c
==============================================================================
--- head/usr.sbin/rtadvd/config.c       Thu May 12 04:28:22 2016        
(r299512)
+++ head/usr.sbin/rtadvd/config.c       Thu May 12 04:54:32 2016        
(r299513)
@@ -234,7 +234,6 @@ rm_ifinfo(struct ifinfo *ifi)
                TAILQ_REMOVE(&ifilist, ifi, ifi_next);
                syslog(LOG_DEBUG, "<%s>: ifinfo (idx=%d) removed.",
                    __func__, ifi->ifi_ifindex);
-               free(ifi);
        } else {
                /* recreate an empty entry */
                update_persist_ifinfo(&ifilist, ifi->ifi_ifname);
@@ -278,6 +277,8 @@ rm_ifinfo(struct ifinfo *ifi)
        }
 
        syslog(LOG_DEBUG, "<%s> leave (%s).", __func__, ifi->ifi_ifname);
+       if (!ifi->ifi_persist)
+               free(ifi);
        return (0);
 }
 
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"