Date: Fri, 14 Oct 2022 13:52:56 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 267050] free(buf) in libbsm/bsm_io.c should be free(*buf) Message-ID: <bug-267050-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D267050 Bug ID: 267050 Summary: free(buf) in libbsm/bsm_io.c should be free(*buf) Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 237300 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D237300&action= =3Dedit auditreduce input that causes a segmentation fault in free() au_read_rec() in /usr/src/contrib/openbsm/libbsm/bsm_io.c says: *buf =3D malloc(recsize); ...; free(buf); The free(buf) should be free(*buf). I've attached a demo: % auditreduce < auditreduce1a.dat Segmentation fault Thread 2.1 received signal SIGSEGV, Segmentation fault. Address not mapped to object. [Switching to LWP 100451 of process 16127] 0x000000080120ad11 in ?? () from /lib/libc.so.7 (gdb) where #0 0x000000080120ad11 in ?? () from /lib/libc.so.7 #1 0x0000000801084680 in au_read_rec (fp=3D0x80127c6c0, buf=3D0x7fffffffde= 28) at /usr/src/contrib/openbsm/libbsm/bsm_io.c:4600 #2 0x0000000001024851 in select_records (fp=3D0x80127c6c0) at /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c:532 #3 0x0000000001024384 in main (argc=3D<optimized out>, argv=3D<optimized o= ut>) at /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c:829 This is on 13.1-RELEASE-p2 as well as a recent CURRENT. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-267050-227>