Date: Fri, 14 May 2021 12:03:58 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255870] [PATCH] rpc/rpcsec_gss: Fix a double free in rpc_gss_marshal Message-ID: <bug-255870-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255870 Bug ID: 255870 Summary: [PATCH] rpc/rpcsec_gss: Fix a double free in rpc_gss_marshal Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: lylgood@foxmail.com Created attachment 224934 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D224934&action= =3Dedit assigns verf.oa_base to checksum.value back Bug File: sys/rpc/rpcsec_gss/rpcsec_gss.c In function rpc_gss_marshal, checksum.value is assigned to verf.oa_base at = line 591. Then verf.oa_base is freed via xdr_opaque_auth()->xdr_bytes()->mem_fre= e(), and verf.oa_base is set to NULL. Notice that, checksum.value is a dangling pointer now which points to a freed memory object. Then gss_release_buffer() at line 595 is called, and the memory object poin= ted by checksum.value is freed via free() again. As verf.oa_base is set to NULL if verf.oa_base is freed, so, my patch assig= ns verf.oa_base to checksum.value back. If the verf.oa_base is freed, the valu= e of checksum.value will be NULL and no double free happens. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255870-227>