Date: Fri, 14 May 2021 12:03:58 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255870] [PATCH] rpc/rpcsec_gss: Fix a double free in rpc_gss_marshal Message-ID: <bug-255870-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255870 Bug ID: 255870 Summary: [PATCH] rpc/rpcsec_gss: Fix a double free in rpc_gss_marshal Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: lylgood@foxmail.com Created attachment 224934 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=224934&action=edit assigns verf.oa_base to checksum.value back Bug File: sys/rpc/rpcsec_gss/rpcsec_gss.c In function rpc_gss_marshal, checksum.value is assigned to verf.oa_base at line 591. Then verf.oa_base is freed via xdr_opaque_auth()->xdr_bytes()->mem_free(), and verf.oa_base is set to NULL. Notice that, checksum.value is a dangling pointer now which points to a freed memory object. Then gss_release_buffer() at line 595 is called, and the memory object pointed by checksum.value is freed via free() again. As verf.oa_base is set to NULL if verf.oa_base is freed, so, my patch assigns verf.oa_base to checksum.value back. If the verf.oa_base is freed, the value of checksum.value will be NULL and no double free happens. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255870-227>