On 15 January 2015 at 03:53, Lawrence Teo <[email protected]> wrote: > libpcap has a use after free (found via LLVM). > > pcap_close() currently looks like this: > > void > pcap_close(pcap_t *p) > { > if (p->opt.source != NULL) > free(p->opt.source); > pcap_cleanup_bpf(p); > free(p); > } > > The bug affects libpcap programs that enable monitor mode on 802.11 > devices (i.e. if they call pcap_set_rfmon() followed by > pcap_activate()). If pcap_close() is called after that, > pcap_cleanup_bpf() will attempt to use p->opt.source while trying to > disable monitor mode, resulting in a use after free. > > The fix is simple (diff below). I tested this with a small program > that calls pcap_create(), pcap_set_rfmon(), pcap_activate(), and > pcap_close() on an iwn(4) device with MALLOC_OPTIONS=AFGJPRX. > With the diff applied, the test program no longer segfaults. > > ok? > >
Looks good to me. OK mikeb
