From owner-svn-src-stable-9@freebsd.org Fri Jun 10 18:22:22 2016 Return-Path: Delivered-To: svn-src-stable-9@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D27D5ADA605; Fri, 10 Jun 2016 18:22:22 +0000 (UTC) (envelope-from ngie@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 87E092E58; Fri, 10 Jun 2016 18:22:22 +0000 (UTC) (envelope-from ngie@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u5AIMLHS029126; Fri, 10 Jun 2016 18:22:21 GMT (envelope-from ngie@FreeBSD.org) Received: (from ngie@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u5AIMLhp029124; Fri, 10 Jun 2016 18:22:21 GMT (envelope-from ngie@FreeBSD.org) Message-Id: <201606101822.u5AIMLhp029124@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ngie set sender to ngie@FreeBSD.org using -f From: Garrett Cooper Date: Fri, 10 Jun 2016 18:22:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r301810 - stable/9/usr.sbin/rtadvd X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2016 18:22:22 -0000 Author: ngie Date: Fri Jun 10 18:22:21 2016 New Revision: 301810 URL: https://svnweb.freebsd.org/changeset/base/301810 Log: MFstable/10 r301809: MFC r299513,r299515: r299513 (by cem): rtadvd(8): Don't use-after-free This whole block of code as committed fully formed in r224144. I'm not really sure what the intent was, but it seems plausible that !persist ifis could need other member cleanup. Don't free the object until after we've finished cleaning its members. CID: 1006079 r299515 (by cem): rtadvd(8): Fix use-after-close in cm_handler_client cm_send() closes 'fd' on error. In that case, bail out early without trying to recv from or close 'fd' again. CID: 1006078 Modified: stable/9/usr.sbin/rtadvd/config.c stable/9/usr.sbin/rtadvd/control_client.c Directory Properties: stable/9/ (props changed) stable/9/usr.sbin/ (props changed) stable/9/usr.sbin/rtadvd/ (props changed) Modified: stable/9/usr.sbin/rtadvd/config.c ============================================================================== --- stable/9/usr.sbin/rtadvd/config.c Fri Jun 10 18:21:05 2016 (r301809) +++ stable/9/usr.sbin/rtadvd/config.c Fri Jun 10 18:22:21 2016 (r301810) @@ -229,7 +229,6 @@ rm_ifinfo(struct ifinfo *ifi) TAILQ_REMOVE(&ifilist, ifi, ifi_next); syslog(LOG_DEBUG, "<%s>: ifinfo (idx=%d) removed.", __func__, ifi->ifi_ifindex); - free(ifi); } else { /* recreate an empty entry */ update_persist_ifinfo(&ifilist, ifi->ifi_ifname); @@ -273,6 +272,8 @@ rm_ifinfo(struct ifinfo *ifi) } syslog(LOG_DEBUG, "<%s> leave (%s).", __func__, ifi->ifi_ifname); + if (!ifi->ifi_persist) + free(ifi); return (0); } Modified: stable/9/usr.sbin/rtadvd/control_client.c ============================================================================== --- stable/9/usr.sbin/rtadvd/control_client.c Fri Jun 10 18:21:05 2016 (r301809) +++ stable/9/usr.sbin/rtadvd/control_client.c Fri Jun 10 18:22:21 2016 (r301810) @@ -92,9 +92,11 @@ cm_handler_client(int fd, int state, cha case CM_STATE_MSG_DISPATCH: cm->cm_version = CM_VERSION; error = cm_send(fd, buf); - if (error) + if (error) { syslog(LOG_WARNING, "<%s> cm_send()", __func__); + return (-1); + } state = CM_STATE_ACK_WAIT; break; case CM_STATE_ACK_WAIT: