A common code pattern for double free (and other issues) is incorrect life-time management along error paths. Sometimes this will result in use-after-frees but in this case its a double free. During the parse_meta_element_create
function it will create an element object for what was just parsed, and then try to insert it into the relevant dataset using dcm_dataset_insert
. This makes sense, and the code checks if dcm_dataset_insert
was successful, if it wasn’t it’ll destroy/free the newly created element believing that it still has ownership over that pointer since the function didn’t complete successfully.
However dcm_dataset_insert
also believes it has ownership over that pointer. So the insertion function does its thing first by checking if the dataset already contains an element with the same tag, if so it returns a failure, but not before it destroys the object also. Along this error path in insert it will free the element, and the caller will free the same element, both believing they have ownership over it.
A traditional unbounded strcpy
, this one is a bit fun because its happening as a server you are connecting to printing a vulnerable ANSI escape code and arguments.
the command __dt
is meant to duplicate a terminal session it will allocate a host
and user
character arrays on the stack, then strcpy
values from the ASNI escape sequence into it. As those are attacker controlled values they can overflow the allocated buffers.