Bug 209538

Summary: use-after-free bug in nscd cache_read() - Coverity CID 1006083
Product: Base System Reporter: Don Lewis <truckman>
Component: binAssignee: freebsd-bugs mailing list <bugs>
Status: New ---    
Severity: Affects Only Me CC: trasz
Priority: --- Keywords: patch
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch to fix use-after-free error in nscd none

Description Don Lewis freebsd_committer 2016-05-16 05:05:47 UTC
Created attachment 170339 [details]
patch to fix use-after-free error in nscd

Coverity flagged a use-after-free error in the nscd cache_read function.  It noticed that find_res->value is getting freed before it gets passed to memcpy().  It looks like the problem is a missing return (-1) inside the

    if (find_res->fifo_policy_item->last_request_time.tv_sec -
        find_res->fifo_policy_item->creation_time.tv_sec
        common_entry->common_params.max_lifetime.tv_sec) {

block.
Comment 1 Edward Tomasz Napierala freebsd_committer 2018-10-05 09:47:37 UTC
Does nscd(8) still work correctly after you add the missing return?
Comment 2 Don Lewis freebsd_committer 2018-10-05 17:24:03 UTC
I don't use nscd ...