[Bug 255861] [PATCH] ngatm/netnatm/msg: Fix a use after free in DEF_IE_ENCODE

Fri May 14 08:59:12 UTC 2021

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255861

            Bug ID: 255861
           Summary: [PATCH] ngatm/netnatm/msg: Fix a use after free in
                    DEF_IE_ENCODE
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: lylgood at foxmail.com

Created attachment 224924
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=224924&action=edit
recover error code propagation

Bug File: sys/contrib/ngatm/netnatm/msg/uni_ie.c

In function DEF_IE_ENCODE, the macro START_IE2(...) calls
uni_encode_ie_hdr(msg,...).  msg->bug is freed in the path:
uni_encode_ie_hdr(msg,..)->uni_msg_ensure(msg,..)->uni_msg_destroy(m)->free(m->buf),
and uni_msg_extend() returns a error code.

But the error code propagation is truncated by converting uni_msg_ensure() to
void. Then the freed msg-buf is used in the macro SET_IE_LEN(msg) in function
DEF_IE_ENCODE().

My patch recovers the error code propagation to avoid the uaf bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.