From trasz at FreeBSD.org  Sat Sep  6 13:37:16 2008
From: trasz at FreeBSD.org (Edward Tomasz Napierala)
Date: Sat Sep  6 13:42:07 2008
Subject: Fix freeing of ACLs in 'setfacl'
Message-ID: <20080906132512.GA77144@pin.if.uz.zgora.pl>

----- Forwarded message from Edward Tomasz Napierala <trasz@FreeBSD.org> -----

Date: Sat, 6 Sep 2008 13:17:35 +0000 (UTC)
Subject: svn commit: r182813 - head/bin/setfacl
From: Edward Tomasz Napierala <trasz@FreeBSD.org>
To: src-committers@freebsd.org

Author: trasz
Date: Sat Sep  6 13:17:35 2008
New Revision: 182813
URL: http://svn.freebsd.org/changeset/base/182813

Log:
  Fix double free in setfacl(1).  Description from the author:
  
  Initially, 'acl' (an 'acl_t *') is allocated, and its ACCESS_ACL and
  DEFAULT_ACL fields are passed to the 'libc' ACL routines for subsequent
  allocation. If the '-m' option (merge existing ACL with a new one) is
  specified, then 'set_acl_mask()' will be called and passed one of the
  two ACLs. This function, in turn, replaces this given ACL structure by
  another, freshly allocated. However, the pointer in the 'acl' variable
  in the caller is not updated. The caller then proceeds to free the ACL,
  incurring in a double free condition.
  
  Submitted by:	Pedro Martelletto <pedro at ambientworks.net>
  Approved by:	rwatson (mentor)

Modified:
  head/bin/setfacl/setfacl.c

Modified: head/bin/setfacl/setfacl.c
==============================================================================
--- head/bin/setfacl/setfacl.c	Sat Sep  6 10:12:52 2008	(r182812)
+++ head/bin/setfacl/setfacl.c	Sat Sep  6 13:17:35 2008	(r182813)
@@ -245,10 +245,13 @@ main(int argc, char *argv[])
 			continue;
 		}
 
-		if (acl_type == ACL_TYPE_ACCESS)
+		if (acl_type == ACL_TYPE_ACCESS) {
 			final_acl = acl[ACCESS_ACL];
-		else
+			acl_free(acl[DEFAULT_ACL]);
+		} else {
 			final_acl = acl[DEFAULT_ACL];
+			acl_free(acl[ACCESS_ACL]);
+		}
 
 		if (need_mask && (set_acl_mask(&final_acl) == -1)) {
 			warnx("failed to set ACL mask on %s", file->filename);
@@ -269,8 +272,7 @@ main(int argc, char *argv[])
 			}
 		}
 
-		acl_free(acl[ACCESS_ACL]);
-		acl_free(acl[DEFAULT_ACL]);
+		acl_free(final_acl);
 		free(acl);
 	}
 

----- End forwarded message -----