From: Ronan Pigott <ronan@rjp.ie>
Date: Mon, 3 Jul 2023 07:36:04 +0000 (-0700)
Subject: ndisc: clear ndisc captive portal value on bogus zero-len option
X-Git-Tag: v254-rc1~46^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=16290f50e9f9adb7f0e1ef1f5b5078e705c2dff5;p=thirdparty%2Fsystemd.git

ndisc: clear ndisc captive portal value on bogus zero-len option

This value was freed but erroneously never cleared, leading to
use-after-free.

Fixes: 9747955d2d60 ("ndisc: parse RFC8910 captive portal ipv6ra option")
---

diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
index da5312c5ff4..025deeff900 100644
--- a/src/network/networkd-ndisc.c
+++ b/src/network/networkd-ndisc.c
@@ -734,7 +734,7 @@ static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt)
                 return r;
 
         if (len == 0) {
-                mfree(link->ndisc_captive_portal);
+                link->ndisc_captive_portal = mfree(link->ndisc_captive_portal);
                 return 0;
         }