svn commit: r301810 - stable/9/usr.sbin/rtadvd

Garrett Cooper ngie at FreeBSD.org
Fri Jun 10 18:22:22 UTC 2016 

Author: ngie
Date: Fri Jun 10 18:22:21 2016
New Revision: 301810
URL: https://svnweb.freebsd.org/changeset/base/301810

Log:
  MFstable/10 r301809:
  
  MFC r299513,r299515:
  
  r299513 (by cem):
  
  rtadvd(8): Don't use-after-free
  
  This whole block of code as committed fully formed in r224144.  I'm not really
  sure what the intent was, but it seems plausible that !persist ifis could need
  other member cleanup.  Don't free the object until after we've finished
  cleaning its members.
  
  CID:		1006079
  
  r299515 (by cem):
  
  rtadvd(8): Fix use-after-close in cm_handler_client
  
  cm_send() closes 'fd' on error.  In that case, bail out early without trying to
  recv from or close 'fd' again.
  
  CID:		1006078

Modified:
  stable/9/usr.sbin/rtadvd/config.c
  stable/9/usr.sbin/rtadvd/control_client.c
Directory Properties:
  stable/9/   (props changed)
  stable/9/usr.sbin/   (props changed)
  stable/9/usr.sbin/rtadvd/   (props changed)

Modified: stable/9/usr.sbin/rtadvd/config.c
==============================================================================
--- stable/9/usr.sbin/rtadvd/config.c	Fri Jun 10 18:21:05 2016	(r301809)
+++ stable/9/usr.sbin/rtadvd/config.c	Fri Jun 10 18:22:21 2016	(r301810)
@@ -229,7 +229,6 @@ rm_ifinfo(struct ifinfo *ifi)
 		TAILQ_REMOVE(&ifilist, ifi, ifi_next);
 		syslog(LOG_DEBUG, "<%s>: ifinfo (idx=%d) removed.",
 		    __func__, ifi->ifi_ifindex);
-		free(ifi);
 	} else {
 		/* recreate an empty entry */
 		update_persist_ifinfo(&ifilist, ifi->ifi_ifname);
@@ -273,6 +272,8 @@ rm_ifinfo(struct ifinfo *ifi)
 	}
 
 	syslog(LOG_DEBUG, "<%s> leave (%s).", __func__, ifi->ifi_ifname);
+	if (!ifi->ifi_persist)
+		free(ifi);
 	return (0);
 }
 

Modified: stable/9/usr.sbin/rtadvd/control_client.c
==============================================================================
--- stable/9/usr.sbin/rtadvd/control_client.c	Fri Jun 10 18:21:05 2016	(r301809)
+++ stable/9/usr.sbin/rtadvd/control_client.c	Fri Jun 10 18:22:21 2016	(r301810)
@@ -92,9 +92,11 @@ cm_handler_client(int fd, int state, cha
 		case CM_STATE_MSG_DISPATCH:
 			cm->cm_version = CM_VERSION;
 			error = cm_send(fd, buf);
-			if (error)
+			if (error) {
 				syslog(LOG_WARNING,
 				    "<%s> cm_send()", __func__);
+				return (-1);
+			}
 			state = CM_STATE_ACK_WAIT;
 			break;
 		case CM_STATE_ACK_WAIT:

More information about the svn-src-stable-9 mailing list