From owner-svn-src-stable-9@freebsd.org Wed Jun 8 18:47:01 2016 Return-Path: Delivered-To: svn-src-stable-9@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BA00B6F5A8; Wed, 8 Jun 2016 18:47:01 +0000 (UTC) (envelope-from ngie@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2B1851CC1; Wed, 8 Jun 2016 18:47:01 +0000 (UTC) (envelope-from ngie@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u58Il0iY061330; Wed, 8 Jun 2016 18:47:00 GMT (envelope-from ngie@FreeBSD.org) Received: (from ngie@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u58Il02l061329; Wed, 8 Jun 2016 18:47:00 GMT (envelope-from ngie@FreeBSD.org) Message-Id: <201606081847.u58Il02l061329@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ngie set sender to ngie@FreeBSD.org using -f From: Garrett Cooper Date: Wed, 8 Jun 2016 18:47:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r301688 - stable/9/lib/libc/rpc X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jun 2016 18:47:01 -0000 Author: ngie Date: Wed Jun 8 18:47:00 2016 New Revision: 301688 URL: https://svnweb.freebsd.org/changeset/base/301688 Log: MFstable/10 r301687: MFC r300624: Fix up r300385 I accidentally glossed over the fact that tmp is manipulated via strchr, so if we tried to free `tmp` after r300385, it would have crashed. Create a separate pointer (tmp2) to track the original allocation of `tmp`, and free `tmp2` if `p->nc_lookups` can't be malloced CID: 1356026 Modified: stable/9/lib/libc/rpc/getnetconfig.c Directory Properties: stable/9/ (props changed) stable/9/lib/ (props changed) stable/9/lib/libc/ (props changed) Modified: stable/9/lib/libc/rpc/getnetconfig.c ============================================================================== --- stable/9/lib/libc/rpc/getnetconfig.c Wed Jun 8 18:46:10 2016 (r301687) +++ stable/9/lib/libc/rpc/getnetconfig.c Wed Jun 8 18:47:00 2016 (r301688) @@ -697,7 +697,7 @@ dup_ncp(ncp) struct netconfig *ncp; { struct netconfig *p; - char *tmp; + char *tmp, *tmp2; u_int i; if ((tmp=malloc(MAXNETCONFIGLINE)) == NULL) @@ -706,6 +706,7 @@ struct netconfig *ncp; free(tmp); return(NULL); } + tmp2 = tmp; /* * First we dup all the data from matched netconfig buffer. Then we * adjust some of the member pointer to a pre-allocated buffer where @@ -727,7 +728,7 @@ struct netconfig *ncp; if (p->nc_lookups == NULL) { free(p->nc_netid); free(p); - free(tmp); + free(tmp2); return(NULL); } for (i=0; i < p->nc_nlookups; i++) {