Created attachment 224934 [details]
assigns verf.oa_base to checksum.value back
Bug File: sys/rpc/rpcsec_gss/rpcsec_gss.c
In function rpc_gss_marshal, checksum.value is assigned to verf.oa_base at line 591. Then verf.oa_base is freed via xdr_opaque_auth()->xdr_bytes()->mem_free(),
and verf.oa_base is set to NULL. Notice that, checksum.value is a dangling pointer now which points to a freed memory object.
Then gss_release_buffer() at line 595 is called, and the memory object pointed by checksum.value is freed via free() again.
As verf.oa_base is set to NULL if verf.oa_base is freed, so, my patch assigns verf.oa_base to checksum.value back. If the verf.oa_base is freed, the value of checksum.value will be NULL and no double free happens.
I believe this bug can't be triggered today. XDR_ENCODE is the only operation that rpc_gss_marshal() will handle, based on my reading of the callers. I'm not very certain though. Rick, do you see anything that should be changed here?
I think your analysis is correct.
rpc_gss_marshal() is only called by
the AUTH_MARSHALL() macros and
they are only used during encoding
(x_op == XDR_ENCODE).
--> See all uses of AUTH_MARSHALL().
Since mem_free() is not called in
xdr_bytes() for the XDR_ENCODE case,
there is no "double free".
Also, since it is on the main "always
executed" code path, any such bug would
have been detected during testing.