Date: Wed, 13 Sep 2017 04:32:23 +0000 (UTC) From: Warner Losh <imp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r323519 - head/lib/libefivar Message-ID: <201709130432.v8D4WNgF011579@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: imp Date: Wed Sep 13 04:32:23 2017 New Revision: 323519 URL: https://svnweb.freebsd.org/changeset/base/323519 Log: Minor fixes to edge cases in efi_get_next_variable_name Fix allocating more memory for the names (unlikely to be needed, but still best to get right) to ask for the length the kernel told use we needed, not the old length of the variable. Mind the proper NUL that we add in the space we allocate. Free the old name string before we allcoate a new one to limit what we leak to the last one (free passed in name for the last one in the list), and detect the last one by rv != 0 and errno == ENOENT, rather then just the former to avoid false positives if errno happens to be ENOENT on entry. Sponsored by: Netflix Modified: head/lib/libefivar/efivar.c Modified: head/lib/libefivar/efivar.c ============================================================================== --- head/lib/libefivar/efivar.c Wed Sep 13 03:56:03 2017 (r323518) +++ head/lib/libefivar/efivar.c Wed Sep 13 04:32:23 2017 (r323519) @@ -225,8 +225,13 @@ efi_get_next_variable_name(efi_guid_t **guid, char **n if (efi_open_dev() == -1) return -1; + /* + * Always allocate enough for an extra NUL on the end, but don't tell + * the IOCTL about it so we can NUL terminate the name before converting + * it to UTF8. + */ if (buf == NULL) - buf = malloc(buflen); + buf = malloc(buflen + sizeof(efi_char)); again: efi_var_reset(&var); @@ -244,21 +249,23 @@ again: rv = ioctl(efi_fd, EFIIOC_VAR_NEXT, &var); if (rv == 0 && var.name == NULL) { /* - * oops, too little space. Try again. + * Variable name not long enough, so allocate more space for the + * name and try again. As above, mind the NUL we add. */ - void *new = realloc(buf, buflen); - buflen = var.namesize; + void *new = realloc(buf, var.namesize + sizeof(efi_char)); if (new == NULL) { rv = -1; errno = ENOMEM; goto done; } + buflen = var.namesize; buf = new; goto again; } if (rv == 0) { - *name = NULL; /* XXX */ + free(*name); /* Free last name, to avoid leaking */ + *name = NULL; /* Force ucs2_to_utf8 to malloc new space */ var.name[var.namesize / sizeof(efi_char)] = 0; /* EFI doesn't NUL terminate */ rv = ucs2_to_utf8(var.name, name); if (rv != 0) @@ -269,9 +276,11 @@ again: errout: /* XXX The linux interface expects name to be a static buffer -- fix or leak memory? */ + /* XXX for the moment, we free just before we'd leak, but still leak last one */ done: - if (errno == ENOENT) { + if (rv != 0 && errno == ENOENT) { errno = 0; + free(*name); /* Free last name, to avoid leaking */ return 0; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201709130432.v8D4WNgF011579>