From owner-freebsd-bugs@FreeBSD.ORG Wed Jan 4 21:50:13 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C83810656A9 for ; Wed, 4 Jan 2012 21:50:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5A4F38FC17 for ; Wed, 4 Jan 2012 21:50:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q04LoDmf020828 for ; Wed, 4 Jan 2012 21:50:13 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q04LoDFw020826; Wed, 4 Jan 2012 21:50:13 GMT (envelope-from gnats) Date: Wed, 4 Jan 2012 21:50:13 GMT Message-Id: <201201042150.q04LoDFw020826@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Guy Helmer Cc: Subject: Re: bin/83340: [patch] setnetgrent() and supporting functions don' t check malloc for failures X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Guy Helmer List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2012 21:50:13 -0000 The following reply was made to PR bin/83340; it has been noted by GNATS. From: Guy Helmer To: bug-followup@FreeBSD.org, dan@obluda.cz Cc: Subject: Re: bin/83340: [patch] setnetgrent() and supporting functions don't check malloc for failures Date: Wed, 4 Jan 2012 15:17:13 -0600 I have updated the patch a bit to resolve the possibility of a memory = leak in parse_netgrp() if an ng_str[] element allocation fails, and to = prevent corrupting the grouphead.gr chain in the event any allocation = fails. However, I don't have an environment handy to test this so if you = could check this before I commit it, I would appreciate it. Index: getnetgrent.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- getnetgrent.c (revision 229512) +++ getnetgrent.c (working copy) @@ -203,9 +203,7 @@ if (parse_netgrp(group)) endnetgrent(); else { - grouphead.grname =3D (char *) - malloc(strlen(group) + 1); - strcpy(grouphead.grname, group); + grouphead.grname =3D strdup(group); } if (netf) fclose(netf); @@ -417,7 +415,7 @@ parse_netgrp(const char *group) { char *spos, *epos; - int len, strpos; + int len, strpos, freepos; #ifdef DEBUG int fields; #endif @@ -454,9 +452,9 @@ while (pos !=3D NULL && *pos !=3D '\0') { if (*pos =3D=3D '(') { grp =3D (struct netgrp *)malloc(sizeof (struct = netgrp)); + if (grp =3D=3D NULL) + return(1); bzero((char *)grp, sizeof (struct netgrp)); - grp->ng_next =3D grouphead.gr; - grouphead.gr =3D grp; pos++; gpos =3D strsep(&pos, ")"); #ifdef DEBUG @@ -477,6 +475,13 @@ if (len > 0) { grp->ng_str[strpos] =3D = (char *) malloc(len + 1); + if (grp->ng_str[strpos] = =3D=3D NULL) { + for (freepos =3D = 0; freepos < strpos; freepos++) + if = (grp->ng_str[freepos] !=3D NULL) + = free(grp->ng_str[freepos]); + free(grp); + return(1); + } bcopy(spos, = grp->ng_str[strpos], len + 1); } @@ -490,6 +495,8 @@ grp->ng_str[strpos] =3D NULL; } } + grp->ng_next =3D grouphead.gr; + grouphead.gr =3D grp; #ifdef DEBUG /* * Note: on other platforms, malformed netgroup @@ -526,7 +533,7 @@ static struct linelist * read_for_group(const char *group) { - char *pos, *spos, *linep, *olinep; + char *pos, *spos, *linep; int len, olen; int cont; struct linelist *lp; @@ -534,6 +541,7 @@ #ifdef YP char *result; int resultlen; + linep =3D NULL; =20 while (_netgr_yp_enabled || fgets(line, LINSIZ, netf) !=3D NULL) = { if (_netgr_yp_enabled) { @@ -554,6 +562,7 @@ free(result); } #else + linep =3D NULL; while (fgets(line, LINSIZ, netf) !=3D NULL) { #endif pos =3D (char *)&line; @@ -576,8 +585,14 @@ pos++; if (*pos !=3D '\n' && *pos !=3D '\0') { lp =3D (struct linelist *)malloc(sizeof (*lp)); + if (lp =3D=3D NULL)=20 + return(NULL); lp->l_parsed =3D 0; lp->l_groupname =3D (char *)malloc(len + 1); + if (lp->l_groupname =3D=3D NULL) { + free(lp); + return(NULL); + } bcopy(spos, lp->l_groupname, len); *(lp->l_groupname + len) =3D '\0'; len =3D strlen(pos); @@ -595,15 +610,15 @@ } else cont =3D 0; if (len > 0) { - linep =3D (char *)malloc(olen + = len + 1); - if (olen > 0) { - bcopy(olinep, linep, = olen); - free(olinep); + linep =3D (char = *)reallocf(linep, olen + len + 1); + if (linep =3D=3D NULL) { + free(lp->l_groupname); + free(lp); + return(NULL); } bcopy(pos, linep + olen, len); olen +=3D len; *(linep + olen) =3D '\0'; - olinep =3D linep; } if (cont) { if (fgets(line, LINSIZ, netf)) { @@ -634,5 +649,5 @@ */ rewind(netf); #endif - return ((struct linelist *)0); + return (NULL); } -------- This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.