[Bug 255863] [PATCH] dev/cxgb: Fix a use after free in get_packet

Fri May 14 10:11:06 UTC 2021

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255863

            Bug ID: 255863
           Summary: [PATCH] dev/cxgb: Fix a use after free in get_packet
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: lylgood at foxmail.com

Created attachment 224927
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=224927&action=edit
add new variables to avoid uaf.

Bug File: sys/dev/cxgb/cxgb_sge.c

In function get_packet, m is freed via m_freem() at line 2,775 in the case
RSPQ_NSOP_NEOP. However, the freed m is used in m->m_len and m->m_pkthdr.len
in printf(). This is a use after free bug and could print security-sensitive
information. Alough it exist in debug mode, it is worthy to fix it.

My patch uses "m_len = m->m_len" and "m_pkthdr_len = m->m_pkthdr.len" to avoid
the uaf bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.