Bug 205834 - rtadvd: accessing freed struct
Summary: rtadvd: accessing freed struct
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: Hiroki Sato
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-03 11:49 UTC by Alexander Cherepanov
Modified: 2025-01-10 19:26 UTC (History)
3 users (show)

See Also:

Attachments
Proposed patch (untested) (2.73 KB, patch)
2016-01-09 09:00 UTC, Andrey V. Elsukov 		no flags Details | Diff
Proposed patch (untested) (2.61 KB, patch)
2016-01-09 09:07 UTC, Andrey V. Elsukov 		no flags Details | Diff
Proposed patch (untested) (2.73 KB, patch)
2016-01-09 09:09 UTC, Andrey V. Elsukov 		no flags Details | Diff
Proposed patch (untested) (2.71 KB, patch)
2016-01-09 09:12 UTC, Andrey V. Elsukov 		no flags Details | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Cherepanov 2016-01-03 11:49:29 UTC 
The problem is in the rm_ifinfo function. If the ifi structure is freed at
https://svnweb.freebsd.org/base/head/usr.sbin/rtadvd/config.c?revision=289750&view=markup#l237
it is then accessed at
https://svnweb.freebsd.org/base/head/usr.sbin/rtadvd/config.c?revision=289750&view=markup#l246
and further.
Comment 1 Andrey V. Elsukov freebsd_committer freebsd_triage 2016-01-09 09:00:53 UTC 
Created attachment 165294 [details]
Proposed patch (untested)
Comment 2 Andrey V. Elsukov freebsd_committer freebsd_triage 2016-01-09 09:03:36 UTC 
The code here looks very strange to me. I added the patch, that fixes (probably possible) leak of rainfo when ifi is removed, and avoids reported use after free. But I have no idea how to test it.
Comment 3 Andrey V. Elsukov freebsd_committer freebsd_triage 2016-01-09 09:07:39 UTC 
Created attachment 165295 [details]
Proposed patch (untested)
Comment 4 Andrey V. Elsukov freebsd_committer freebsd_triage 2016-01-09 09:09:59 UTC 
Created attachment 165296 [details]
Proposed patch (untested)

Another cleanup :)
Comment 5 Andrey V. Elsukov freebsd_committer freebsd_triage 2016-01-09 09:12:10 UTC 
Created attachment 165297 [details]
Proposed patch (untested)

Grrr.. Now seems ok.
Comment 6 Eitan Adler freebsd_committer freebsd_triage 2018-05-28 19:44:37 UTC 
batch change:

For bugs that match the following
-  Status Is In progress 
AND
- Untouched since 2018-01-01.
AND
- Affects Base System OR Documentation

DO:

Reset to open status.


Note:
I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.
Comment 7 Mark Johnston freebsd_committer freebsd_triage 2025-01-10 19:26:36 UTC 
This was fixed in a different way in commit 5c4eb897462928e39604144796e7ffa206845616.