[Bug 267050] free(buf) in libbsm/bsm_io.c should be free(*buf)

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267050] free(buf) in libbsm/bsm_io.c should be free(*buf)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 14 Oct 2022 13:52:56 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267050

            Bug ID: 267050
           Summary: free(buf) in libbsm/bsm_io.c should be free(*buf)
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 237300
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237300&action=edit
auditreduce input that causes a segmentation fault in free()

au_read_rec() in /usr/src/contrib/openbsm/libbsm/bsm_io.c says:

                *buf = malloc(recsize);
                ...;
                        free(buf);

The free(buf) should be free(*buf).

I've attached a demo:

% auditreduce < auditreduce1a.dat
Segmentation fault

Thread 2.1 received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
[Switching to LWP 100451 of process 16127]
0x000000080120ad11 in ?? () from /lib/libc.so.7
(gdb) where
#0  0x000000080120ad11 in ?? () from /lib/libc.so.7
#1  0x0000000801084680 in au_read_rec (fp=0x80127c6c0, buf=0x7fffffffde28)
    at /usr/src/contrib/openbsm/libbsm/bsm_io.c:4600
#2  0x0000000001024851 in select_records (fp=0x80127c6c0)
    at /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c:532
#3  0x0000000001024384 in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/contrib/openbsm/bin/auditreduce/auditreduce.c:829

This is on 13.1-RELEASE-p2 as well as a recent CURRENT.

-- 
You are receiving this mail because:
You are the assignee for the bug.