From 5c4eb897462928e39604144796e7ffa206845616 Mon Sep 17 00:00:00 2001 From: Conrad Meyer Date: Thu, 12 May 2016 04:54:32 +0000 Subject: [PATCH] rtadvd(8): Don't use-after-free This whole block of code as committed fully formed in r224144. I'm not really sure what the intent was, but it seems plausible that !persist ifis could need other member cleanup. Don't free the object until after we've finished cleaning its members. Reported by: Coverity CID: 1006079 Sponsored by: EMC / Isilon Storage Division --- usr.sbin/rtadvd/config.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rtadvd/config.c b/usr.sbin/rtadvd/config.c index d63af5a4ab4c..165a64dec693 100644 --- a/usr.sbin/rtadvd/config.c +++ b/usr.sbin/rtadvd/config.c @@ -234,7 +234,6 @@ rm_ifinfo(struct ifinfo *ifi) TAILQ_REMOVE(&ifilist, ifi, ifi_next); syslog(LOG_DEBUG, "<%s>: ifinfo (idx=%d) removed.", __func__, ifi->ifi_ifindex); - free(ifi); } else { /* recreate an empty entry */ update_persist_ifinfo(&ifilist, ifi->ifi_ifname); @@ -278,6 +277,8 @@ rm_ifinfo(struct ifinfo *ifi) } syslog(LOG_DEBUG, "<%s> leave (%s).", __func__, ifi->ifi_ifname); + if (!ifi->ifi_persist) + free(ifi); return (0); }