diff options
| author | delphij <delphij@FreeBSD.org> | 2017-06-25 17:42:27 +0000 |
|---|---|---|
| committer | delphij <delphij@FreeBSD.org> | 2017-06-25 17:42:27 +0000 |
| commit | f7f0706a3602e5f13a22a902087a889f29dab837 (patch) | |
| tree | 26f413b3b427a30665ab2cea9373597271f5c610 /lib | |
| parent | 16eacbb0f42e7f78eb46a528619ae3b2896c697e (diff) | |
| download | FreeBSD-src-f7f0706a3602e5f13a22a902087a889f29dab837.zip FreeBSD-src-f7f0706a3602e5f13a22a902087a889f29dab837.tar.gz | |
MFC r320216: Fix use-after-free introduced in r300388.
In r300388, endnetconfig() was called on nc_handle which would release
the associated netconfig structure, which means tmpnconf->nc_netid
would be a use-after-free.
Solve this by doing endnetconfig() in return paths instead.
Reported by: jemalloc via kevlo
Reviewed by: cem, ngie (earlier version)
Approved by: re (kib)
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libc/rpc/rpcb_clnt.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/libc/rpc/rpcb_clnt.c b/lib/libc/rpc/rpcb_clnt.c index f9d89c1..8c9b8ca 100644 --- a/lib/libc/rpc/rpcb_clnt.c +++ b/lib/libc/rpc/rpcb_clnt.c @@ -499,14 +499,15 @@ try_nconf: hostname = IN6_LOCALHOST_STRING; } } - endnetconfig(nc_handle); if (tmpnconf == NULL) { + endnetconfig(nc_handle); rpc_createerr.cf_stat = RPC_UNKNOWNPROTO; mutex_unlock(&loopnconf_lock); return (NULL); } loopnconf = getnetconfigent(tmpnconf->nc_netid); /* loopnconf is never freed */ + endnetconfig(nc_handle); } mutex_unlock(&loopnconf_lock); client = getclnthandle(hostname, loopnconf, NULL); |
