Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Jun 2016 18:21:06 +0000 (UTC)
From:      Garrett Cooper <ngie@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r301809 - stable/10/usr.sbin/rtadvd
Message-ID:  <201606101821.u5AIL6bX026270@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: ngie
Date: Fri Jun 10 18:21:05 2016
New Revision: 301809
URL: https://svnweb.freebsd.org/changeset/base/301809

Log:
  MFC r299513,r299515:
  
  r299513 (by cem):
  
  rtadvd(8): Don't use-after-free
  
  This whole block of code as committed fully formed in r224144.  I'm not really
  sure what the intent was, but it seems plausible that !persist ifis could need
  other member cleanup.  Don't free the object until after we've finished
  cleaning its members.
  
  CID:		1006079
  
  r299515 (by cem):
  
  rtadvd(8): Fix use-after-close in cm_handler_client
  
  cm_send() closes 'fd' on error.  In that case, bail out early without trying to
  recv from or close 'fd' again.
  
  CID:		1006078

Modified:
  stable/10/usr.sbin/rtadvd/config.c
  stable/10/usr.sbin/rtadvd/control_client.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/usr.sbin/rtadvd/config.c
==============================================================================
--- stable/10/usr.sbin/rtadvd/config.c	Fri Jun 10 18:13:41 2016	(r301808)
+++ stable/10/usr.sbin/rtadvd/config.c	Fri Jun 10 18:21:05 2016	(r301809)
@@ -229,7 +229,6 @@ rm_ifinfo(struct ifinfo *ifi)
 		TAILQ_REMOVE(&ifilist, ifi, ifi_next);
 		syslog(LOG_DEBUG, "<%s>: ifinfo (idx=%d) removed.",
 		    __func__, ifi->ifi_ifindex);
-		free(ifi);
 	} else {
 		/* recreate an empty entry */
 		update_persist_ifinfo(&ifilist, ifi->ifi_ifname);
@@ -273,6 +272,8 @@ rm_ifinfo(struct ifinfo *ifi)
 	}
 
 	syslog(LOG_DEBUG, "<%s> leave (%s).", __func__, ifi->ifi_ifname);
+	if (!ifi->ifi_persist)
+		free(ifi);
 	return (0);
 }
 

Modified: stable/10/usr.sbin/rtadvd/control_client.c
==============================================================================
--- stable/10/usr.sbin/rtadvd/control_client.c	Fri Jun 10 18:13:41 2016	(r301808)
+++ stable/10/usr.sbin/rtadvd/control_client.c	Fri Jun 10 18:21:05 2016	(r301809)
@@ -92,9 +92,11 @@ cm_handler_client(int fd, int state, cha
 		case CM_STATE_MSG_DISPATCH:
 			cm->cm_version = CM_VERSION;
 			error = cm_send(fd, buf);
-			if (error)
+			if (error) {
 				syslog(LOG_WARNING,
 				    "<%s> cm_send()", __func__);
+				return (-1);
+			}
 			state = CM_STATE_ACK_WAIT;
 			break;
 		case CM_STATE_ACK_WAIT:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606101821.u5AIL6bX026270>