Re: Fix use-after-free in yppush(8)

[Todd C. Miller]

On Tue, 04 Nov 2014 14:27:39 +, Dimitris Papastamos wrote:

> It seems to me that we should not free `pfd' at this point.  The saved
> max poll fd is not reset to 0 and I do not see any guarantees that `pfd'
> will point to valid memory after calling free() here.
> 
> Other code that follows the same style, like mountd(8) and rpc.rstatd(8)
> do not do this.

Yes, you are correct.

 - todd

Fix use-after-free in yppush(8)

[Dimitris Papastamos]

Hi,

It seems to me that we should not free `pfd' at this point.  The saved
max poll fd is not reset to 0 and I do not see any guarantees that `pfd'
will point to valid memory after calling free() here.

Other code that follows the same style, like mountd(8) and rpc.rstatd(8)
do not do this.

OK?

===
RCS file: /cvs/src/usr.sbin/ypserv/yppush/yppush.c,v
retrieving revision 1.29
diff -u -p -r1.29 yppush.c
--- yppush.c11 Oct 2014 02:29:24 -  1.29
+++ yppush.c4 Nov 2014 14:19:56 -
@@ -99,7 +99,6 @@ my_svc_run(void)
exit(0);
default:
svc_getreq_poll(pfd, nready);
-   free(pfd);
break;
}
}