accept_filter: Fix filter parameter handling

For filters which implement accf_create, the setsockopt(2) handler caches the filter name in the socket, but it also incorrectly frees the buffer containing the copy, leaving a dangling pointer. Note that no accept filters provided in the base system are susceptible to this, as they don't implement accf_create. Reported by: Alexey Kulaev <alex.qart@gmail.com> Discussed with: emaste Security: kernel use-after-free MFC after: 3 days Sponsored by: The FreeBSD Foundation
2021-03-25 17:55:20 -04:00 · 2021-03-25 17:55:20 -04:00 · 653a437c04
commit 653a437c04
parent 15f3355567
1 changed files with 1 additions and 0 deletions
--- a/sys/kern/uipc_accf.c
+++ b/sys/kern/uipc_accf.c
@ -299,6 +299,7 @@ accept_filt_setopt(struct socket *so, struct sockopt *sopt)
 	so->sol_accept_filter = afp;
 	so->sol_accept_filter_arg = accept_filter_arg;
 	so->sol_accept_filter_str = accept_filter_str;
+	accept_filter_str = NULL;
 	so->so_options |= SO_ACCEPTFILTER;
 out:
 	SOCK_UNLOCK(so);