Problem Description:
An unprivileged process can configure an accept filter on a listening
socket. This is done using the setsockopt(2) system call. The process
supplies the name of the accept filter which is to be attached to the
socket, as well as a string containing filter-specific information.
If the filter implements the accf_create callback, the socket option
handler attempts to preserve the process-supplied argument string. A
bug in the socket option handler caused this string to be freed
prematurely, leaving a dangling pointer. Additional operations on the
socket can turn this into a double free or a use-after-free.
Impact:
The bug may be exploited to trigger local privilege escalation or
kernel memory disclosure.