kern/116360: Potential double-free on error when copying IPv6 output options.

[Peter Hunt]

>Number:         116360
>Category:       kern
>Synopsis:       Potential double-free on error when copying IPv6 output options.
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 14 22:20:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Peter Hunt
>Release:        FreeBSD 6.1 RELEASE
>Organization:
Nokia
>Environment:
FreeBSD frente.nes.nokia.com 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May  7 04:42:56 UTC 2006     root at opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  i386
>Description:
I noticed what I think is a double free problem by code inspection. It appears to be in 6.1 (which I'm using) and HEAD. I have not seen any problem during use.

In ip6_output.c:copypktopts(), if an error occurs while copying the packet options from src to dst, the routine frees all the fields in dst, but does not set them to NULL. It then returns error status.

Some callers of copypktopts() (via in6_setpktopts()) handle the error by calling in6_clearpktopts() on dst, which will try to free the fields again, as they are not NULL.

Specifically, raw_ip6.c:rip6_output() and udp_usrreq.c:udp6_output() both call ip6_setpktopts, passing src and dst pktopts pointers, and handle the error by calling in6_clearpktopts.

Regards,

Peter Hunt
Nokia Enterprise Solutions

>How-To-Repeat:

>Fix:
I think this problem can be solved by having clearpktopts() zero out the fields after freeing them (or calling ip6_initpktopts on dst).


>Release-Note:
>Audit-Trail:
>Unformatted: