accept_filter: Fix filter parameter handling
For filters which implement accf_create, the setsockopt(2) handler
caches the filter name in the socket, but it also incorrectly frees the
buffer containing the copy, leaving a dangling pointer. Note that no
accept filters provided in the base system are susceptible to this, as
they don't implement accf_create.
Reported by: Alexey Kulaev <alex.qart@gmail.com>
Discussed with: emaste
Sponsored by: The FreeBSD Foundation
Approved by: so
Security: CVE-2021-29627
Security: FreeBSD-SA-21:09.accept_filter
(cherry picked from commit
653a437c04440495cd8e7712c7cf39444f26f1ee)
(cherry picked from commit
6008a5fad3c110c4ec03cc3fe60ce41c4e548b98)
projects / FreeBSD / FreeBSD.git / commit