On Thu, Jun 21, 2018 at 07:46:12PM +0200, Sebastien Marie wrote: > Hi, > > [email protected] has corrected an use-after-free on NetBSD on similar > code we have. > > Fix use-after-free, m_cat can free m. > > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/net80211/ieee80211_input.c.diff?r1=1.111&r2=1.112 > > > From code reading on us side, I think the same problem is present. > > net80211/ieee80211_input.c > 538 /* > 539 * Handle defragmentation (see 9.5 and Annex C). We support the > concurrent > 540 * reception of fragments of three fragmented MSDUs or MMPDUs. > 541 */ > 542 struct mbuf * > 543 ieee80211_defrag(struct ieee80211com *ic, struct mbuf *m, int hdrlen) > 544 { > ... > 597 /* strip 802.11 header and concatenate fragment */ > 598 m_adj(m, hdrlen); > 599 m_cat(df->df_m, m); > 600 df->df_m->m_pkthdr.len += m->m_pkthdr.len; >
If I don't mess myself, I think the use-after-free is present, but it lives in dead code. ieee80211_defrag() function seems not be used anywhere. It comes from Feb 8, 2009 in a commit from damien@: ---------------------------- revision 1.109 date: 2009/02/08 15:34:39; author: damien; state: Exp; lines: +94 -1; initial 802.11 defragmentation bits. the code will allow the concurrent reception of fragments of three fragmented MSDUs or MMPDUs as required by the 802.11 standard. ---------------------------- But I fail to find if it was used a day or if it is just dead code since 2009. Whole commit: https://github.com/openbsd/src/commit/0c2a2ba16ccde25b321c6ae91f3f5bcf12f981cf -- Sebastien Marie
