Date: Wed, 8 Jun 2016 18:46:10 +0000 (UTC) From: Garrett Cooper <ngie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r301687 - stable/10/lib/libc/rpc Message-ID: <201606081846.u58IkA3k061231@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ngie Date: Wed Jun 8 18:46:10 2016 New Revision: 301687 URL: https://svnweb.freebsd.org/changeset/base/301687 Log: MFC r300624: Fix up r300385 I accidentally glossed over the fact that tmp is manipulated via strchr, so if we tried to free `tmp` after r300385, it would have crashed. Create a separate pointer (tmp2) to track the original allocation of `tmp`, and free `tmp2` if `p->nc_lookups` can't be malloced CID: 1356026 Modified: stable/10/lib/libc/rpc/getnetconfig.c Directory Properties: stable/10/ (props changed) Modified: stable/10/lib/libc/rpc/getnetconfig.c ============================================================================== --- stable/10/lib/libc/rpc/getnetconfig.c Wed Jun 8 18:43:56 2016 (r301686) +++ stable/10/lib/libc/rpc/getnetconfig.c Wed Jun 8 18:46:10 2016 (r301687) @@ -697,7 +697,7 @@ dup_ncp(ncp) struct netconfig *ncp; { struct netconfig *p; - char *tmp; + char *tmp, *tmp2; u_int i; if ((tmp=malloc(MAXNETCONFIGLINE)) == NULL) @@ -706,6 +706,7 @@ struct netconfig *ncp; free(tmp); return(NULL); } + tmp2 = tmp; /* * First we dup all the data from matched netconfig buffer. Then we * adjust some of the member pointer to a pre-allocated buffer where @@ -727,7 +728,7 @@ struct netconfig *ncp; if (p->nc_lookups == NULL) { free(p->nc_netid); free(p); - free(tmp); + free(tmp2); return(NULL); } for (i=0; i < p->nc_nlookups; i++) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606081846.u58IkA3k061231>