diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index 93f2084d1c93..7bb3e2a150c5 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -390,6 +390,7 @@ toast_rules(struct rules *const rules) free(rule->gids, M_MAC_DO); free(rule, M_MAC_DO); } + STAILQ_INIT(head); } static inline void @@ -1071,13 +1072,13 @@ einval: /* * Parse rules specification and produce rule structures out of it. * - * Must be called with '*parse_error' set to NULL. Returns 0 on success, with - * '*rulesp' made to point to a 'struct rule' representing the rules. On error, - * the returned value is non-zero and '*rulesp' is unchanged. If 'string' has - * length greater or equal to MAX_RULE_STRING_SIZE, ENAMETOOLONG is returned. If - * it is not in the expected format, EINVAL is returned. If an error is - * returned, '*parse_error' is set to point to a 'struct parse_error' giving an - * error message for the problem. + * Must be called with '*parse_error' set to NULL. Returns 0 on success, + * filling the passed '*rules' with 'struct rule' objects. On error, the + * returned value is non-zero, and '*rules' may have been changed. If 'string' + * has length greater or equal to MAX_RULE_STRING_SIZE, ENAMETOOLONG is + * returned. If it is not in the expected format, EINVAL is returned. If an + * error is returned, '*parse_error' is set to point to a 'struct parse_error' + * giving an error message for the problem. * * Expected format: A >-colon-separated list of rules of the form * ">" (for backwards compatibility, a semi-colon ":" is accepted @@ -1123,7 +1124,6 @@ parse_rules(const char *const string, struct rules *const rules, error = parse_single_rule(rule, rules, parse_error); if (error != 0) { (*parse_error)->pos += rule - copy; - toast_rules(rules); goto error; } } diff --git a/tests/sys/mac/do/invalid_configs.sh b/tests/sys/mac/do/invalid_configs.sh index d1a9eb8c1e96..91e38a0055c0 100644 --- a/tests/sys/mac/do/invalid_configs.sh +++ b/tests/sys/mac/do/invalid_configs.sh @@ -72,6 +72,19 @@ rules_wrong_separator_body() sysctl_set_and_check_fails_rules "uid=1001>gid=0:gid=1001>gid=5" } +# Added after observing a panic() in this situation because of a double-free +# after introduction of "exec_paths". +atf_test_case non_first_rule_unparseable +non_first_rule_unparseable_head() +{ + atf_set descr "Non-first rule wrong" +} + +non_first_rule_unparseable_body() +{ + sysctl_set_and_check_fails_rules "gid=1001>uid=0;hello" +} + atf_init_test_cases() { @@ -83,4 +96,5 @@ atf_init_test_cases() atf_add_test_case rule_user_names_fail atf_add_test_case rule_group_names_fail atf_add_test_case rules_wrong_separator + atf_add_test_case non_first_rule_unparseable }