diff options
| author |   krw <krw@openbsd.org> | 2020-04-06 17:05:40 +0000 |
|---|---|---|
| committer | krw <krw@openbsd.org> | 2020-04-06 17:05:40 +0000 |
| commit | b5777858a0a83af451f4b42450b2470bfc7d0e0c (patch) | |
| tree | e8943f2e5df1a9ee5e54ec0642eb9956a1146f33 | |
| parent | Re-enable the client test now that it passes again. (diff) | |
| download | wireguard-openbsd-b5777858a0a83af451f4b42450b2470bfc7d0e0c.tar.xz wireguard-openbsd-b5777858a0a83af451f4b42450b2470bfc7d0e0c.zip | |
dhcpd could reference freed memory after releasing a lease with
an unusually long uid.
Reported by Adarsh Dinesh. Thanks!
| -rw-r--r-- | usr.sbin/dhcpd/memory.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/usr.sbin/dhcpd/memory.c b/usr.sbin/dhcpd/memory.c index d0b44d69132..0fdc6fc327e 100644 --- a/usr.sbin/dhcpd/memory.c +++ b/usr.sbin/dhcpd/memory.c @@ -1,4 +1,4 @@ -/* $OpenBSD: memory.c,v 1.28 2017/02/13 23:04:05 krw Exp $ */ +/* $OpenBSD: memory.c,v 1.29 2020/04/06 17:05:40 krw Exp $ */ /* * Copyright (c) 1995, 1996, 1997, 1998 The Internet Software Consortium. @@ -502,7 +502,8 @@ supersede_lease(struct lease *comp, struct lease *lease, int commit) uid_hash_delete(comp); enter_uid = 1; if (comp->uid != &comp->uid_buf[0]) { - free(comp->uid); + if (comp->uid != lease->uid) + free(comp->uid); comp->uid_max = 0; comp->uid_len = 0; } |