Bug 251203 - net/netatalk3 Use after free in get_tm_used()
Summary: net/netatalk3 Use after free in get_tm_used()
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Joe Marcus Clarke
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-17 04:39 UTC by Jose Quinteiro
Modified: 2020-11-22 22:09 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (marcus)

Attachments
Clang address sanitizer report (4.48 KB, text/plain)
2020-11-17 04:39 UTC, Jose Quinteiro 		no flags Details
Proposed fix (681 bytes, patch)
2020-11-17 04:46 UTC, Jose Quinteiro 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jose Quinteiro 2020-11-17 04:39:52 UTC 
Created attachment 219761 [details]
Clang address sanitizer report

If get_tm_used encounters a directory with a name ending in
"sparsebunlde", and the logged-in user does not have execute permission
on that directory, we destroy the infoplist bstring we created, and
move on to the next entry. Unfortunately, we do not set infoplist to
NULL, and trying to bdestroy infoplist at cleanup time causes an
attempted read of bstring->slen in a region that was freed.

Found with Clang's address sanitizer.
Comment 1 Jose Quinteiro 2020-11-17 04:46:08 UTC 
Created attachment 219762 [details]
Proposed fix
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-11-22 22:08:51 UTC 
A commit references this bug:

Author: marcus
Date: Sun Nov 22 22:08:39 UTC 2020
New revision: 556076
URL: https://svnweb.freebsd.org/changeset/ports/556076

Log:
  Fix two memory corruption crashes.

  * Use-after-free in afpd's Time Machine Code [1]
  * Memory overrun in extended attributes [2]

  PR:		251203 [1]
  		244191 [2]
  Submitted by:	 Jose Quinteiro <freebsd@quinteiro.org>

Changes:
  head/net/netatalk3/Makefile
  head/net/netatalk3/files/patch-etc_afpd_volume.c
  head/net/netatalk3/files/patch-libatalk_vfs_extattr.c
Comment 3 Joe Marcus Clarke freebsd_committer freebsd_triage 2020-11-22 22:09:38 UTC 
Thanks so much for these fixes, Jose! Committed!