diff options
| author | Edward Tomasz Napierala <trasz@FreeBSD.org> | 2008-09-06 13:17:35 +0000 |
|---|---|---|
| committer | Edward Tomasz Napierala <trasz@FreeBSD.org> | 2008-09-06 13:17:35 +0000 |
| commit | 23f80af2ca2d2c5c4a6b8a45055ba9eeebd7e815 (patch) | |
| tree | 872e6821e612b7c5016650c20bf214243b559e4b /bin | |
| parent | 2647b253d7a2f40c7e102b73772323045bdf0801 (diff) | |
| download | src-23f80af2ca2d2c5c4a6b8a45055ba9eeebd7e815.tar.gz src-23f80af2ca2d2c5c4a6b8a45055ba9eeebd7e815.zip | |
Fix double free in setfacl(1). Description from the author:
Initially, 'acl' (an 'acl_t *') is allocated, and its ACCESS_ACL and
DEFAULT_ACL fields are passed to the 'libc' ACL routines for subsequent
allocation. If the '-m' option (merge existing ACL with a new one) is
specified, then 'set_acl_mask()' will be called and passed one of the
two ACLs. This function, in turn, replaces this given ACL structure by
another, freshly allocated. However, the pointer in the 'acl' variable
in the caller is not updated. The caller then proceeds to free the ACL,
incurring in a double free condition.
Submitted by: Pedro Martelletto <pedro at ambientworks.net>
Approved by: rwatson (mentor)
Notes
Notes:
svn path=/head/; revision=182813
Diffstat (limited to 'bin')
| -rw-r--r-- | bin/setfacl/setfacl.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/bin/setfacl/setfacl.c b/bin/setfacl/setfacl.c index b86dbb1eac75..2286efb244a6 100644 --- a/bin/setfacl/setfacl.c +++ b/bin/setfacl/setfacl.c @@ -245,10 +245,13 @@ main(int argc, char *argv[]) continue; } - if (acl_type == ACL_TYPE_ACCESS) + if (acl_type == ACL_TYPE_ACCESS) { final_acl = acl[ACCESS_ACL]; - else + acl_free(acl[DEFAULT_ACL]); + } else { final_acl = acl[DEFAULT_ACL]; + acl_free(acl[ACCESS_ACL]); + } if (need_mask && (set_acl_mask(&final_acl) == -1)) { warnx("failed to set ACL mask on %s", file->filename); @@ -269,8 +272,7 @@ main(int argc, char *argv[]) } } - acl_free(acl[ACCESS_ACL]); - acl_free(acl[DEFAULT_ACL]); + acl_free(final_acl); free(acl); } |