Created attachment 224924 [details] recover error code propagation Bug File: sys/contrib/ngatm/netnatm/msg/uni_ie.c In function DEF_IE_ENCODE, the macro START_IE2(...) calls uni_encode_ie_hdr(msg,...). msg->bug is freed in the path: uni_encode_ie_hdr(msg,..)->uni_msg_ensure(msg,..)->uni_msg_destroy(m)->free(m->buf), and uni_msg_extend() returns a error code. But the error code propagation is truncated by converting uni_msg_ensure() to void. Then the freed msg-buf is used in the macro SET_IE_LEN(msg) in function DEF_IE_ENCODE(). My patch recovers the error code propagation to avoid the uaf bug.
https://reviews.freebsd.org/D30611
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=e755e2776ddff729ae4102f3273473aa33b00077 commit e755e2776ddff729ae4102f3273473aa33b00077 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-06-06 20:42:16 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-06 20:44:47 +0000 ngatm: Handle errors from uni_msg_extend() uni_msg_extend() may fail due to a memory allocation failure. In this case, though, the message is freed, so callers shouldn't touch it. PR: 255861 Reviewed by: harti MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D30611 sys/contrib/ngatm/netnatm/msg/uni_ie.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=4e30dd0567da0ce7e34d9a3438e978465584b161 commit 4e30dd0567da0ce7e34d9a3438e978465584b161 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-06-06 20:42:16 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-14 20:24:48 +0000 ngatm: Handle errors from uni_msg_extend() uni_msg_extend() may fail due to a memory allocation failure. In this case, though, the message is freed, so callers shouldn't touch it. PR: 255861 Reviewed by: harti Sponsored by: The FreeBSD Foundation (cherry picked from commit e755e2776ddff729ae4102f3273473aa33b00077) sys/contrib/ngatm/netnatm/msg/uni_ie.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=09e47586d72f4940eea1e70df706dbc165ad0415 commit 09e47586d72f4940eea1e70df706dbc165ad0415 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-06-06 20:42:16 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-14 20:25:14 +0000 ngatm: Handle errors from uni_msg_extend() uni_msg_extend() may fail due to a memory allocation failure. In this case, though, the message is freed, so callers shouldn't touch it. PR: 255861 Reviewed by: harti Sponsored by: The FreeBSD Foundation (cherry picked from commit e755e2776ddff729ae4102f3273473aa33b00077) sys/contrib/ngatm/netnatm/msg/uni_ie.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)