From owner-svn-src-all@freebsd.org Thu May 12 04:54:33 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E57DAB37F82; Thu, 12 May 2016 04:54:33 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B03651D38; Thu, 12 May 2016 04:54:33 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4C4sWtY059835; Thu, 12 May 2016 04:54:32 GMT (envelope-from cem@FreeBSD.org) Received: (from cem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4C4sWjI059834; Thu, 12 May 2016 04:54:32 GMT (envelope-from cem@FreeBSD.org) Message-Id: <201605120454.u4C4sWjI059834@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org using -f From: "Conrad E. Meyer" Date: Thu, 12 May 2016 04:54:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r299513 - head/usr.sbin/rtadvd X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2016 04:54:34 -0000 Author: cem Date: Thu May 12 04:54:32 2016 New Revision: 299513 URL: https://svnweb.freebsd.org/changeset/base/299513 Log: rtadvd(8): Don't use-after-free This whole block of code as committed fully formed in r224144. I'm not really sure what the intent was, but it seems plausible that !persist ifis could need other member cleanup. Don't free the object until after we've finished cleaning its members. Reported by: Coverity CID: 1006079 Sponsored by: EMC / Isilon Storage Division Modified: head/usr.sbin/rtadvd/config.c Modified: head/usr.sbin/rtadvd/config.c ============================================================================== --- head/usr.sbin/rtadvd/config.c Thu May 12 04:28:22 2016 (r299512) +++ head/usr.sbin/rtadvd/config.c Thu May 12 04:54:32 2016 (r299513) @@ -234,7 +234,6 @@ rm_ifinfo(struct ifinfo *ifi) TAILQ_REMOVE(&ifilist, ifi, ifi_next); syslog(LOG_DEBUG, "<%s>: ifinfo (idx=%d) removed.", __func__, ifi->ifi_ifindex); - free(ifi); } else { /* recreate an empty entry */ update_persist_ifinfo(&ifilist, ifi->ifi_ifname); @@ -278,6 +277,8 @@ rm_ifinfo(struct ifinfo *ifi) } syslog(LOG_DEBUG, "<%s> leave (%s).", __func__, ifi->ifi_ifname); + if (!ifi->ifi_persist) + free(ifi); return (0); }