ndisc: clear ndisc captive portal value on bogus zero-len option

This value was freed but erroneously never cleared, leading to
use-after-free.

Fixes: 9747955d2d60 ("ndisc: parse RFC8910 captive portal ipv6ra option")

diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
index da5312c5ff47cfe8325ff04d47a9c4e3d4315d97..025deeff90055c62c687181e1b003d7f8dc5e53c 100644 (file)
--- a/src/network/networkd-ndisc.c
+++ b/src/network/networkd-ndisc.c
@@ -734,7 +734,7 @@ static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt)
                 return r;
 
         if (len == 0) {
-                mfree(link->ndisc_captive_portal);
+                link->ndisc_captive_portal = mfree(link->ndisc_captive_portal);
                 return 0;
         }