mirror of
https://git.FreeBSD.org/src.git
synced 2024-10-19 02:29:40 +00:00
Fix double free in setfacl(1). Description from the author:
Initially, 'acl' (an 'acl_t *') is allocated, and its ACCESS_ACL and DEFAULT_ACL fields are passed to the 'libc' ACL routines for subsequent allocation. If the '-m' option (merge existing ACL with a new one) is specified, then 'set_acl_mask()' will be called and passed one of the two ACLs. This function, in turn, replaces this given ACL structure by another, freshly allocated. However, the pointer in the 'acl' variable in the caller is not updated. The caller then proceeds to free the ACL, incurring in a double free condition. Submitted by: Pedro Martelletto <pedro at ambientworks.net> Approved by: rwatson (mentor)
This commit is contained in:
parent
2647b253d7
commit
23f80af2ca
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=182813
@ -245,10 +245,13 @@ main(int argc, char *argv[])
|
||||
continue;
|
||||
}
|
||||
|
||||
if (acl_type == ACL_TYPE_ACCESS)
|
||||
if (acl_type == ACL_TYPE_ACCESS) {
|
||||
final_acl = acl[ACCESS_ACL];
|
||||
else
|
||||
acl_free(acl[DEFAULT_ACL]);
|
||||
} else {
|
||||
final_acl = acl[DEFAULT_ACL];
|
||||
acl_free(acl[ACCESS_ACL]);
|
||||
}
|
||||
|
||||
if (need_mask && (set_acl_mask(&final_acl) == -1)) {
|
||||
warnx("failed to set ACL mask on %s", file->filename);
|
||||
@ -269,8 +272,7 @@ main(int argc, char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
acl_free(acl[ACCESS_ACL]);
|
||||
acl_free(acl[DEFAULT_ACL]);
|
||||
acl_free(final_acl);
|
||||
free(acl);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user