Date: Tue, 24 May 2016 19:52:05 +0000 (UTC) From: Garrett Cooper <ngie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r300624 - head/lib/libc/rpc Message-ID: <201605241952.u4OJq5Us012004@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ngie Date: Tue May 24 19:52:05 2016 New Revision: 300624 URL: https://svnweb.freebsd.org/changeset/base/300624 Log: Fix up r300385 I accidentally glossed over the fact that tmp is manipulated via strchr, so if we tried to free `tmp` after r300385, it would have crashed. Create a separate pointer (tmp2) to track the original allocation of `tmp`, and free `tmp2` if `p->nc_lookups` can't be malloced MFC after: 4 days X-MFC with: r300385 Reported by: Coverity CID: 1356026 Sponsored by: EMC / Isilon Storage Division Modified: head/lib/libc/rpc/getnetconfig.c Modified: head/lib/libc/rpc/getnetconfig.c ============================================================================== --- head/lib/libc/rpc/getnetconfig.c Tue May 24 19:26:58 2016 (r300623) +++ head/lib/libc/rpc/getnetconfig.c Tue May 24 19:52:05 2016 (r300624) @@ -692,7 +692,7 @@ static struct netconfig * dup_ncp(struct netconfig *ncp) { struct netconfig *p; - char *tmp; + char *tmp, *tmp2; u_int i; if ((tmp=malloc(MAXNETCONFIGLINE)) == NULL) @@ -701,6 +701,7 @@ dup_ncp(struct netconfig *ncp) free(tmp); return(NULL); } + tmp2 = tmp; /* * First we dup all the data from matched netconfig buffer. Then we * adjust some of the member pointer to a pre-allocated buffer where @@ -722,7 +723,7 @@ dup_ncp(struct netconfig *ncp) if (p->nc_lookups == NULL) { free(p->nc_netid); free(p); - free(tmp); + free(tmp2); return(NULL); } for (i=0; i < p->nc_nlookups; i++) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605241952.u4OJq5Us012004>