From 7314601f9d9633c08f35d6ac1a5be834b0a8028a Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Tue, 1 Mar 2016 23:54:37 +0100 Subject: pppoe: Avoid double free (thanks k0ga) k0ga reports: Hello, While I was setting my pppoe conexion with my ISP I discovered several problems in ip/pppoe. I used the command line ip/pppoe -A '' ether0 and I got this: ... dropping unwanted pkt: wrong ac name panic: D2B called on non-block dc10 (double-free?) note rcved: sys: trap: fault read addr=0x0 pc=0x000066e1 pppoe 1013: suicide: sys: trap: fault read addr=0x0 pc=0x000066e1 cpu% acid 1013 /proc/1013/text:386 plan 9 executable /sys/lib/acid/port /sys/lib/acid/386 acid: stk() abort()+0x0 /sys/src/libc/9sys/abort.c:6 ppanic(p=0xd1b8,fmt=0xc7f9)+0x146 /sys/src/libc/port/malloc.c:166 D2B(p=0xd1b8,v=0xdc10)+0x57 /sys/src/libc/port/pool.c:926 poolfreel(v=0xdc10,p=0xd1b8)+0x20 /sys/src/libc/port/pool.c:1152 poolfree(p=0xd1b8,v=0xdc10)+0x3b /sys/src/libc/port/pool.c:1287 free(v=0xdc18)+0x23 /sys/src/libc/port/malloc.c:250 clearstate()+0x1b /sys/src/cmd/ip/pppoe.c:328 pppoe(ether=0xdfffefc1)+0x123 /sys/src/cmd/ip/pppoe.c:426 main(argv=0xdfffefa0,argc=0x1)+0x89 /sys/src/cmd/ip/pppoe.c:100 _main+0x31 /sys/src/libc/386/main9.s:16 acid: clearstate() is called in pppoe.c:424, and it frees acname and sets it to nil. pktread() is called in pppoe.c:434 with parameter wantoffer, which frees acname again in line pppoe.c:360 but doesn't set it to nil, so clearstate() makes a double free in the next iteration. --- sys/src/cmd/ip/pppoe.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/src/cmd/ip/pppoe.c b/sys/src/cmd/ip/pppoe.c index 9fcd8c05d..6cd3f2570 100644 --- a/sys/src/cmd/ip/pppoe.c +++ b/sys/src/cmd/ip/pppoe.c @@ -358,6 +358,7 @@ wantoffer(uchar *pkt) acname = copy(s, len); if(wantac && strcmp(acname, wantac) != 0){ free(acname); + acname = nil; return bad("wrong ac name"); } -- cgit v1.2.3