From 16290f50e9f9adb7f0e1ef1f5b5078e705c2dff5 Mon Sep 17 00:00:00 2001
From: Ronan Pigott <ronan@rjp.ie>
Date: Mon, 3 Jul 2023 00:36:04 -0700
Subject: [PATCH] ndisc: clear ndisc captive portal value on bogus zero-len
 option

This value was freed but erroneously never cleared, leading to
use-after-free.

Fixes: 9747955d2d60 ("ndisc: parse RFC8910 captive portal ipv6ra option")
---
 src/network/networkd-ndisc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
index da5312c5ff4..025deeff900 100644
--- a/src/network/networkd-ndisc.c
+++ b/src/network/networkd-ndisc.c
@@ -734,7 +734,7 @@ static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt)
                 return r;
 
         if (len == 0) {
-                mfree(link->ndisc_captive_portal);
+                link->ndisc_captive_portal = mfree(link->ndisc_captive_portal);
                 return 0;
         }
 
-- 
2.47.3