Date: Fri, 14 May 2021 08:59:12 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255861] [PATCH] ngatm/netnatm/msg: Fix a use after free in DEF_IE_ENCODE Message-ID: <bug-255861-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255861 Bug ID: 255861 Summary: [PATCH] ngatm/netnatm/msg: Fix a use after free in DEF_IE_ENCODE Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: lylgood@foxmail.com Created attachment 224924 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=224924&action=edit recover error code propagation Bug File: sys/contrib/ngatm/netnatm/msg/uni_ie.c In function DEF_IE_ENCODE, the macro START_IE2(...) calls uni_encode_ie_hdr(msg,...). msg->bug is freed in the path: uni_encode_ie_hdr(msg,..)->uni_msg_ensure(msg,..)->uni_msg_destroy(m)->free(m->buf), and uni_msg_extend() returns a error code. But the error code propagation is truncated by converting uni_msg_ensure() to void. Then the freed msg-buf is used in the macro SET_IE_LEN(msg) in function DEF_IE_ENCODE(). My patch recovers the error code propagation to avoid the uaf bug. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255861-227>