diff options
| author | ngie <ngie@FreeBSD.org> | 2017-01-13 08:55:41 +0000 |
|---|---|---|
| committer | ngie <ngie@FreeBSD.org> | 2017-01-13 08:55:41 +0000 |
| commit | 5eba66bc9dc931a1883008aedee41e63ed861f86 (patch) | |
| tree | 8328ac4cc2a85b67e9ddf5a8bcf4c2429f4bfb8f | |
| parent | db760939bcf65c93e1b2c9c7c22ac7a904e842bf (diff) | |
| download | FreeBSD-src-5eba66bc9dc931a1883008aedee41e63ed861f86.zip FreeBSD-src-5eba66bc9dc931a1883008aedee41e63ed861f86.tar.gz | |
MFC r310729:
Prevent improper memory accesses after calling snmp_pdu_free and snmp_value_free
snmp_pdu_free: set pdu->nbindings to 0 to limit the damage that
could happen if a pdu was reused after calling the function, and
as both stack and heap allocation types are used in contrib/bsnmp
and usr.sbin/bsnmpd.
snmp_value_free: NULL out value->v.octetstring.octets after calling
free on it to prevent a double-free from occurring.
| -rw-r--r-- | contrib/bsnmp/lib/snmp.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/contrib/bsnmp/lib/snmp.c b/contrib/bsnmp/lib/snmp.c index 68f46f9..d86f88a 100644 --- a/contrib/bsnmp/lib/snmp.c +++ b/contrib/bsnmp/lib/snmp.c @@ -1154,8 +1154,11 @@ snmp_pdu_dump(const struct snmp_pdu *pdu) void snmp_value_free(struct snmp_value *value) { - if (value->syntax == SNMP_SYNTAX_OCTETSTRING) + + if (value->syntax == SNMP_SYNTAX_OCTETSTRING) { free(value->v.octetstring.octets); + value->v.octetstring.octets = NULL; + } value->syntax = SNMP_SYNTAX_NULL; } @@ -1216,6 +1219,7 @@ snmp_pdu_free(struct snmp_pdu *pdu) for (i = 0; i < pdu->nbindings; i++) snmp_value_free(&pdu->bindings[i]); + pdu->nbindings = 0; } /* |
