Fix a use after free in update_rtm_from_rc().

update_rtm_from_rc() calls update_rtm_from_info() internally. The latter one may update provided prtm pointer with a new rtm. Reassign rtm from prtm afeter calling update_rtm_from_info() to avoid touching the freed rtm. PR: 255871 Submitted by: lylgood@foxmail.com MFC after: 3 days
2021-05-14 16:03:08 +00:00 · 2021-05-14 16:03:08 +00:00 · 76cfc6fa0d
commit 76cfc6fa0d
parent 852088f6af
1 changed files with 1 additions and 0 deletions
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@ -976,6 +976,7 @@ update_rtm_from_rc(struct rt_addrinfo *info, struct rt_msghdr **prtm,
 	if ((error = update_rtm_from_info(info, prtm, alloc_len)) != 0)
 		return (error);

+	rtm = *prtm;
 	rtm->rtm_flags = rc->rc_rt->rte_flags | nhop_get_rtflags(nh);
 	if (rtm->rtm_flags & RTF_GWFLAG_COMPAT)
 		rtm->rtm_flags = RTF_GATEWAY |