libpcap has a use after free (found via LLVM).
pcap_close() currently looks like this:
void
pcap_close(pcap_t *p)
{
if (p->opt.source != NULL)
free(p->opt.source);
pcap_cleanup_bpf(p);
free(p);
}
The bug affects libpcap programs that enable monitor mode on 802.11
devices (i.e. if they call pcap_set_rfmon() followed by
pcap_activate()). If pcap_close() is called after that,
pcap_cleanup_bpf() will attempt to use p->opt.source while trying to
disable monitor mode, resulting in a use after free.
The fix is simple (diff below). I tested this with a small program
that calls pcap_create(), pcap_set_rfmon(), pcap_activate(), and
pcap_close() on an iwn(4) device with MALLOC_OPTIONS=AFGJPRX.
With the diff applied, the test program no longer segfaults.
ok?
Index: pcap-bpf.c
===================================================================
RCS file: /cvs/src/lib/libpcap/pcap-bpf.c,v
retrieving revision 1.24
diff -u -p -r1.24 pcap-bpf.c
--- pcap-bpf.c 16 Oct 2014 20:08:21 -0000 1.24
+++ pcap-bpf.c 14 Jan 2015 03:31:28 -0000
@@ -431,9 +431,8 @@ pcap_cleanup_bpf(pcap_t *p)
void
pcap_close(pcap_t *p)
{
- if (p->opt.source != NULL)
- free(p->opt.source);
pcap_cleanup_bpf(p);
+ free(p->opt.source);
free(p);
}
