From owner-freebsd-bugs@FreeBSD.ORG Fri Sep 14 22:20:02 2007 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09A6316A41A for ; Fri, 14 Sep 2007 22:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BB27913C4FA for ; Fri, 14 Sep 2007 22:20:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l8EMK1CI018975 for ; Fri, 14 Sep 2007 22:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l8EMK1Y1018974; Fri, 14 Sep 2007 22:20:01 GMT (envelope-from gnats) Resent-Date: Fri, 14 Sep 2007 22:20:01 GMT Resent-Message-Id: <200709142220.l8EMK1Y1018974@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Peter Hunt Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD7EC16A417 for ; Fri, 14 Sep 2007 22:18:49 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 8162013C45B for ; Fri, 14 Sep 2007 22:18:49 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l8EMInLf042743 for ; Fri, 14 Sep 2007 22:18:49 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.1/8.14.1/Submit) id l8EMInjP042742; Fri, 14 Sep 2007 22:18:49 GMT (envelope-from nobody) Message-Id: <200709142218.l8EMInjP042742@www.freebsd.org> Date: Fri, 14 Sep 2007 22:18:49 GMT From: Peter Hunt To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/116360: Potential double-free on error when copying IPv6 output options. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2007 22:20:02 -0000 >Number: 116360 >Category: kern >Synopsis: Potential double-free on error when copying IPv6 output options. >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Sep 14 22:20:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Peter Hunt >Release: FreeBSD 6.1 RELEASE >Organization: Nokia >Environment: FreeBSD frente.nes.nokia.com 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 7 04:42:56 UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP i386 >Description: I noticed what I think is a double free problem by code inspection. It appears to be in 6.1 (which I'm using) and HEAD. I have not seen any problem during use. In ip6_output.c:copypktopts(), if an error occurs while copying the packet options from src to dst, the routine frees all the fields in dst, but does not set them to NULL. It then returns error status. Some callers of copypktopts() (via in6_setpktopts()) handle the error by calling in6_clearpktopts() on dst, which will try to free the fields again, as they are not NULL. Specifically, raw_ip6.c:rip6_output() and udp_usrreq.c:udp6_output() both call ip6_setpktopts, passing src and dst pktopts pointers, and handle the error by calling in6_clearpktopts. Regards, Peter Hunt Nokia Enterprise Solutions >How-To-Repeat: >Fix: I think this problem can be solved by having clearpktopts() zero out the fields after freeing them (or calling ip6_initpktopts on dst). >Release-Note: >Audit-Trail: >Unformatted: