On Fri, Jan 30, 2015 at 22:55, Alexander Bluhm wrote: > On Fri, Jan 30, 2015 at 02:34:42PM -0700, Todd C. Miller wrote: >> I think the simplest fix is to just move the m_free to the bad: >> label. > > sosetopt() calls m_free() and then it is called again. So it is a > double free. > > I would move the so->so_proto check between the if (name == -1) and > the if (lsa.optlen > MLEN) block. There m has not been allocated. > > Untested as I do not have an i386 right now.
This will change the sematnics slightly for programs that, for example, set those options but then pass in an invalid pointer. I think that's acceptable, however. Well behaved programs will not notice the difference. ok
