Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 30 Apr 2016 09:13:26 +0000 (UTC)
From:      Garrett Cooper <ngie@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r298839 - head/lib/libkvm
Message-ID:  <201604300913.u3U9DQOk051580@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: ngie
Date: Sat Apr 30 09:13:26 2016
New Revision: 298839
URL: https://svnweb.freebsd.org/changeset/base/298839

Log:
  Fix memory allocation edgecases in kvm_argv(..)
  
  - Don't leak nbufp on realloc failure in kvm_argv
  - Catch malloc errors with bufp
  - Set buflen last in the "buflen == 0" case to ensure that
    bufp/nbufp is properly reallocated on the next go around
  
  Differential Revision: https://reviews.freebsd.org/D6051
  MFC after: 1 week
  Reviewed by: jhb, markj
  Reported by: cppcheck
  Sponsored by: EMC / Isilon Storage Division

Modified:
  head/lib/libkvm/kvm_proc.c

Modified: head/lib/libkvm/kvm_proc.c
==============================================================================
--- head/lib/libkvm/kvm_proc.c	Sat Apr 30 06:48:48 2016	(r298838)
+++ head/lib/libkvm/kvm_proc.c	Sat Apr 30 09:13:26 2016	(r298839)
@@ -666,6 +666,7 @@ kvm_argv(kvm_t *kd, const struct kinfo_p
 	static char *buf, *p;
 	static char **bufp;
 	static int argc;
+	char **nbufp;
 
 	if (!ISALIVE(kd)) {
 		_kvm_err(kd, kd->program,
@@ -681,9 +682,15 @@ kvm_argv(kvm_t *kd, const struct kinfo_p
 			_kvm_err(kd, kd->program, "cannot allocate memory");
 			return (NULL);
 		}
-		buflen = nchr;
 		argc = 32;
 		bufp = malloc(sizeof(char *) * argc);
+		if (bufp == NULL) {
+			free(buf);
+			buf = NULL;
+			_kvm_err(kd, kd->program, "cannot allocate memory");
+			return (NULL);
+		}
+		buflen = nchr;
 	} else if (nchr > buflen) {
 		p = realloc(buf, nchr);
 		if (p != NULL) {
@@ -716,8 +723,10 @@ kvm_argv(kvm_t *kd, const struct kinfo_p
 		p += strlen(p) + 1;
 		if (i >= argc) {
 			argc += argc;
-			bufp = realloc(bufp,
-			    sizeof(char *) * argc);
+			nbufp = realloc(bufp, sizeof(char *) * argc);
+			if (nbufp == NULL)
+				return (NULL);
+			bufp = nbufp;
 		}
 	} while (p < buf + bufsz);
 	bufp[i++] = 0;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201604300913.u3U9DQOk051580>