Date: Fri, 14 May 2021 08:59:12 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255861] [PATCH] ngatm/netnatm/msg: Fix a use after free in DEF_IE_ENCODE Message-ID: <bug-255861-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255861 Bug ID: 255861 Summary: [PATCH] ngatm/netnatm/msg: Fix a use after free in DEF_IE_ENCODE Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: lylgood@foxmail.com Created attachment 224924 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D224924&action= =3Dedit recover error code propagation Bug File: sys/contrib/ngatm/netnatm/msg/uni_ie.c In function DEF_IE_ENCODE, the macro START_IE2(...) calls uni_encode_ie_hdr(msg,...). msg->bug is freed in the path: uni_encode_ie_hdr(msg,..)->uni_msg_ensure(msg,..)->uni_msg_destroy(m)->free= (m->buf), and uni_msg_extend() returns a error code. But the error code propagation is truncated by converting uni_msg_ensure() = to void. Then the freed msg-buf is used in the macro SET_IE_LEN(msg) in functi= on DEF_IE_ENCODE(). My patch recovers the error code propagation to avoid the uaf bug. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255861-227>