Fix freeing of ACLs in 'setfacl'

Edward Tomasz Napierala trasz at FreeBSD.org
Sat Sep 6 13:37:16 UTC 2008 

----- Forwarded message from Edward Tomasz Napierala <trasz at FreeBSD.org> -----

Date: Sat, 6 Sep 2008 13:17:35 +0000 (UTC)
Subject: svn commit: r182813 - head/bin/setfacl
From: Edward Tomasz Napierala <trasz at FreeBSD.org>
To: src-committers at freebsd.org

Author: trasz
Date: Sat Sep  6 13:17:35 2008
New Revision: 182813
URL: http://svn.freebsd.org/changeset/base/182813

Log:
  Fix double free in setfacl(1).  Description from the author:
  
  Initially, 'acl' (an 'acl_t *') is allocated, and its ACCESS_ACL and
  DEFAULT_ACL fields are passed to the 'libc' ACL routines for subsequent
  allocation. If the '-m' option (merge existing ACL with a new one) is
  specified, then 'set_acl_mask()' will be called and passed one of the
  two ACLs. This function, in turn, replaces this given ACL structure by
  another, freshly allocated. However, the pointer in the 'acl' variable
  in the caller is not updated. The caller then proceeds to free the ACL,
  incurring in a double free condition.
  
  Submitted by:	Pedro Martelletto <pedro at ambientworks.net>
  Approved by:	rwatson (mentor)

Modified:
  head/bin/setfacl/setfacl.c

Modified: head/bin/setfacl/setfacl.c
==============================================================================
--- head/bin/setfacl/setfacl.c	Sat Sep  6 10:12:52 2008	(r182812)
+++ head/bin/setfacl/setfacl.c	Sat Sep  6 13:17:35 2008	(r182813)
@@ -245,10 +245,13 @@ main(int argc, char *argv[])
 			continue;
 		}
 
-		if (acl_type == ACL_TYPE_ACCESS)
+		if (acl_type == ACL_TYPE_ACCESS) {
 			final_acl = acl[ACCESS_ACL];
-		else
+			acl_free(acl[DEFAULT_ACL]);
+		} else {
 			final_acl = acl[DEFAULT_ACL];
+			acl_free(acl[ACCESS_ACL]);
+		}
 
 		if (need_mask && (set_acl_mask(&final_acl) == -1)) {
 			warnx("failed to set ACL mask on %s", file->filename);
@@ -269,8 +272,7 @@ main(int argc, char *argv[])
 			}
 		}
 
-		acl_free(acl[ACCESS_ACL]);
-		acl_free(acl[DEFAULT_ACL]);
+		acl_free(final_acl);
 		free(acl);
 	}
 

----- End forwarded message -----

More information about the posix1e mailing list