FreeBSD Bugzilla – Attachment 224933 Details for
Bug 255869
[PATCH] kern: Fix a use after free bug in sodealloc
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
adds a variable cr_uidinfo
0001-kern-uaf-sodealloc.patch (text/plain), 1.10 KB, created by
lylgood
on 2021-05-14 11:45:04 UTC
(
hide
)
Description:
adds a variable cr_uidinfo
Filename:
MIME Type:
Creator:
lylgood
Created:
2021-05-14 11:45:04 UTC
Size:
1.10 KB
patch
obsolete
>diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c >index ea86f66556ea..3b84d183a66c 100644 >--- a/sys/kern/uipc_socket.c >+++ b/sys/kern/uipc_socket.c >@@ -458,6 +458,7 @@ soalloc(struct vnet *vnet) > static void > sodealloc(struct socket *so) > { >+ struct uidinfo *cr_uidinfo; > > KASSERT(so->so_count == 0, ("sodealloc(): so_count %d", so->so_count)); > KASSERT(so->so_pcb == NULL, ("sodealloc(): so_pcb != NULL")); >@@ -476,6 +477,7 @@ sodealloc(struct socket *so) > #endif > hhook_run_socket(so, NULL, HHOOK_SOCKET_CLOSE); > >+ cr_uidinfo = so->so_cred->cr_uidinfo; > crfree(so->so_cred); > khelp_destroy_osd(&so->osd); > if (SOLISTENING(so)) { >@@ -483,10 +485,10 @@ sodealloc(struct socket *so) > accept_filt_setopt(so, NULL); > } else { > if (so->so_rcv.sb_hiwat) >- (void)chgsbsize(so->so_cred->cr_uidinfo, >+ (void)chgsbsize(cr_uidinfo, > &so->so_rcv.sb_hiwat, 0, RLIM_INFINITY); > if (so->so_snd.sb_hiwat) >- (void)chgsbsize(so->so_cred->cr_uidinfo, >+ (void)chgsbsize(cr_uidinfo, > &so->so_snd.sb_hiwat, 0, RLIM_INFINITY); > sx_destroy(&so->so_snd.sb_sx); > sx_destroy(&so->so_rcv.sb_sx);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=224933">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 255869
:
224933
|
225050