Date: Tue, 12 Jul 2005 18:06:50 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/83336: [ PATCH ] libc's parse_ncp() don't check malloc/realloc for failures Message-ID: <200507121606.j6CG6ooF015600@kulesh.obluda.cz> Resent-Message-ID: <200507121610.j6CGAPVA053903@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83336
>Category: bin
>Synopsis: [ PATCH ] libc's parse_ncp() don't check malloc/realloc for failures
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 12 16:10:25 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
src/lib/libc/rpc/getnetconfig.c,v 1.10 2004/03/05 08:10:17 markm
>Description:
parse_ncp() called from getnetconfig() and getnetconfigent() dodn't
check malloc/realloc for failures. It may cause NULL dereferencing.
It assume the allocated memory is '\0' filled also.
>How-To-Repeat:
>Fix:
--- patch begins here ---
--- lib/libc/rpc/getnetconfig.c.ORIG Mon Mar 8 14:41:03 2004
+++ lib/libc/rpc/getnetconfig.c Tue Jul 12 17:43:19 2005
@@ -420,18 +420,6 @@
return (NULL);
}
- if (strcmp(netid, "unix") == 0) {
- fprintf(stderr, "The local transport is called \"unix\" ");
- fprintf(stderr, "in /etc/netconfig.\n");
- fprintf(stderr, "Please change this to \"local\" manually ");
- fprintf(stderr, "or run mergemaster(8).\n");
- fprintf(stderr, "See UPDATING entry 20021216 for details.\n");
- fprintf(stderr, "Continuing in 10 seconds\n\n");
- fprintf(stderr, "This warning will be removed 20030301\n");
- sleep(10);
-
- }
-
/*
* Look up table if the entries have already been read and parsed in
* getnetconfig(), then copy this entry into a buffer and return it.
@@ -603,13 +591,18 @@
free(ncp->nc_lookups);
/* preallocate one string pointer */
ncp->nc_lookups = (char **)malloc(sizeof (char *));
+ if (ncp->nc_lookups == NULL)
+ return(-1);
ncp->nc_nlookups = 0;
while ((cp = tokenp) != NULL) {
tokenp = _get_next_token(cp, ',');
ncp->nc_lookups[(size_t)ncp->nc_nlookups++] = cp;
- ncp->nc_lookups = (char **)realloc(ncp->nc_lookups,
+ ncp->nc_lookups = (char **)reallocf(ncp->nc_lookups,
(size_t)(ncp->nc_nlookups+1) *sizeof(char *)); /* for next loop */
+ if (ncp->nc_lookups == NULL)
+ return(-1);
}
+ ncp->nc_lookups[(size_t)ncp->nc_nlookups] = '\0';
}
return (0);
}
--- patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507121606.j6CG6ooF015600>