diff options
| author |   jsg <jsg@openbsd.org> | 2015-02-09 09:09:30 +0000 |
|---|---|---|
| committer | jsg <jsg@openbsd.org> | 2015-02-09 09:09:30 +0000 |
| commit | e373cecb3518add12e26f8a1cbe77763f5cdfea2 (patch) | |
| tree | 8b83a9e7053ff522d26dc128d9ebd8cecbfd3a65 | |
| parent | Do not even try to call uvm_grow() from sendsig. It will be invoked (diff) | |
| download | wireguard-openbsd-e373cecb3518add12e26f8a1cbe77763f5cdfea2.tar.xz wireguard-openbsd-e373cecb3518add12e26f8a1cbe77763f5cdfea2.zip | |
If we hit multiple errors while unwinding we'll end up running code that
assumes a pointer is valid when it has been free'd.
This is convoluted as ksh has it's own allocator and uses long jumps.
Set the pointer to NULL after the quitenv() call in unwind() in case we
later hit a long jump in unwind().
Found with afl a while back.
ok tedu@ deraadt@
| -rw-r--r-- | bin/ksh/main.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/bin/ksh/main.c b/bin/ksh/main.c index 862c4f84f29..34eafb81921 100644 --- a/bin/ksh/main.c +++ b/bin/ksh/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.54 2013/11/28 10:33:37 sobrado Exp $ */ +/* $OpenBSD: main.c,v 1.55 2015/02/09 09:09:30 jsg Exp $ */ /* * startup, main loop, environments and error handling @@ -638,6 +638,13 @@ unwind(int i) default: quitenv(NULL); + /* + * quitenv() may have reclaimed the memory + * used by source which will end badly when + * we jump to a function that expects it to + * be valid + */ + source = NULL; } } } |