diff options
| author | delphij <delphij@FreeBSD.org> | 2017-06-25 05:46:03 +0000 |
|---|---|---|
| committer | delphij <delphij@FreeBSD.org> | 2017-06-25 05:46:03 +0000 |
| commit | fcce4148584876e3cabb698b445b6efda15e4ee6 (patch) | |
| tree | c0a309e2d17fd4215f55a9bb41238b7cd28f29be /lib | |
| parent | deacf3bf7cab31f93f26daa334eb6ac860d508c2 (diff) | |
| download | FreeBSD-src-fcce4148584876e3cabb698b445b6efda15e4ee6.zip FreeBSD-src-fcce4148584876e3cabb698b445b6efda15e4ee6.tar.gz | |
MFC r320216: Fix use-after-free introduced in r300388.
In r300388, endnetconfig() was called on nc_handle which would release
the associated netconfig structure, which means tmpnconf->nc_netid
would be a use-after-free.
Solve this by doing endnetconfig() in return paths instead.
Reported by: jemalloc via kevlo
Reviewed by: cem, ngie (earlier version)
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libc/rpc/rpcb_clnt.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/libc/rpc/rpcb_clnt.c b/lib/libc/rpc/rpcb_clnt.c index f9d89c1..8c9b8ca 100644 --- a/lib/libc/rpc/rpcb_clnt.c +++ b/lib/libc/rpc/rpcb_clnt.c @@ -499,14 +499,15 @@ try_nconf: hostname = IN6_LOCALHOST_STRING; } } - endnetconfig(nc_handle); if (tmpnconf == NULL) { + endnetconfig(nc_handle); rpc_createerr.cf_stat = RPC_UNKNOWNPROTO; mutex_unlock(&loopnconf_lock); return (NULL); } loopnconf = getnetconfigent(tmpnconf->nc_netid); /* loopnconf is never freed */ + endnetconfig(nc_handle); } mutex_unlock(&loopnconf_lock); client = getclnthandle(hostname, loopnconf, NULL); |
