[Bug 255870] [PATCH] rpc/rpcsec_gss: Fix a double free in rpc_gss_marshal

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255870

            Bug ID: 255870
           Summary: [PATCH] rpc/rpcsec_gss: Fix a double free in
                    rpc_gss_marshal
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: lylgood at foxmail.com

Created attachment 224934
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=224934&action=edit
assigns verf.oa_base to checksum.value back

Bug File: sys/rpc/rpcsec_gss/rpcsec_gss.c

In function rpc_gss_marshal, checksum.value is assigned to verf.oa_base at line
591. Then verf.oa_base is freed via xdr_opaque_auth()->xdr_bytes()->mem_free(),
and verf.oa_base is set to NULL. Notice that, checksum.value is a dangling
pointer now which points to a freed memory object.

Then gss_release_buffer() at line 595 is called, and the memory object pointed
by checksum.value is freed via free() again.

As verf.oa_base is set to NULL if verf.oa_base is freed, so, my patch assigns
verf.oa_base to checksum.value back. If the verf.oa_base is freed, the value of
checksum.value will be NULL and no double free happens.

-- 
You are receiving this mail because:
You are the assignee for the bug.