Bug 251203 - net/netatalk3 Use after free in get_tm_used()
Summary: net/netatalk3 Use after free in get_tm_used()
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Joe Marcus Clarke
Depends on:
Reported: 2020-11-17 04:39 UTC by Jose Quinteiro
Modified: 2020-11-22 22:09 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (marcus)

Clang address sanitizer report (4.48 KB, text/plain)
2020-11-17 04:39 UTC, Jose Quinteiro
no flags Details
Proposed fix (681 bytes, patch)
2020-11-17 04:46 UTC, Jose Quinteiro
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jose Quinteiro 2020-11-17 04:39:52 UTC
Created attachment 219761 [details]
Clang address sanitizer report

If get_tm_used encounters a directory with a name ending in
"sparsebunlde", and the logged-in user does not have execute permission
on that directory, we destroy the infoplist bstring we created, and
move on to the next entry. Unfortunately, we do not set infoplist to
NULL, and trying to bdestroy infoplist at cleanup time causes an
attempted read of bstring->slen in a region that was freed.

Found with Clang's address sanitizer.
Comment 1 Jose Quinteiro 2020-11-17 04:46:08 UTC
Created attachment 219762 [details]
Proposed fix
Comment 2 commit-hook freebsd_committer 2020-11-22 22:08:51 UTC
A commit references this bug:

Author: marcus
Date: Sun Nov 22 22:08:39 UTC 2020
New revision: 556076
URL: https://svnweb.freebsd.org/changeset/ports/556076

  Fix two memory corruption crashes.

  * Use-after-free in afpd's Time Machine Code [1]
  * Memory overrun in extended attributes [2]

  PR:		251203 [1]
  		244191 [2]
  Submitted by:	 Jose Quinteiro <freebsd@quinteiro.org>

Comment 3 Joe Marcus Clarke freebsd_committer 2020-11-22 22:09:38 UTC
Thanks so much for these fixes, Jose! Committed!