MFC r320216: Fix use-after-free introduced in r300388.

In r300388, endnetconfig() was called on nc_handle which would release the associated netconfig structure, which means tmpnconf->nc_netid would be a use-after-free. Solve this by doing endnetconfig() in return paths instead. Reported by: jemalloc via kevlo Reviewed by: cem, ngie (earlier version) Approved by: re (kib)
author: delphij <delphij@FreeBSD.org> 2017-06-25 17:42:27 +0000
committer: delphij <delphij@FreeBSD.org> 2017-06-25 17:42:27 +0000
commit: f7f0706a3602e5f13a22a902087a889f29dab837 (patch)
tree: 26f413b3b427a30665ab2cea9373597271f5c610 /lib/libc/rpc
parent: 16eacbb0f42e7f78eb46a528619ae3b2896c697e (diff)
download: FreeBSD-src-f7f0706a3602e5f13a22a902087a889f29dab837.zip
FreeBSD-src-f7f0706a3602e5f13a22a902087a889f29dab837.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/libc/rpc/rpcb_clnt.c b/lib/libc/rpc/rpcb_clnt.c
index f9d89c1..8c9b8ca 100644
--- a/lib/libc/rpc/rpcb_clnt.c
+++ b/lib/libc/rpc/rpcb_clnt.c
@@ -499,14 +499,15 @@ try_nconf:
 					hostname = IN6_LOCALHOST_STRING;
 			}
 		}
-		endnetconfig(nc_handle);
 		if (tmpnconf == NULL) {
+			endnetconfig(nc_handle);
 			rpc_createerr.cf_stat = RPC_UNKNOWNPROTO;
 			mutex_unlock(&loopnconf_lock);
 			return (NULL);
 		}
 		loopnconf = getnetconfigent(tmpnconf->nc_netid);
 		/* loopnconf is never freed */
+		endnetconfig(nc_handle);
 	}
 	mutex_unlock(&loopnconf_lock);
 	client = getclnthandle(hostname, loopnconf, NULL);
author	delphij <delphij@FreeBSD.org>	2017-06-25 17:42:27 +0000
committer	delphij <delphij@FreeBSD.org>	2017-06-25 17:42:27 +0000
commit	f7f0706a3602e5f13a22a902087a889f29dab837 (patch)
tree	26f413b3b427a30665ab2cea9373597271f5c610 /lib/libc/rpc
parent	16eacbb0f42e7f78eb46a528619ae3b2896c697e (diff)
download	FreeBSD-src-f7f0706a3602e5f13a22a902087a889f29dab837.zip FreeBSD-src-f7f0706a3602e5f13a22a902087a889f29dab837.tar.gz