Date: Tue, 12 Jul 2005 22:45:26 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/83349: [ PATCH ] improper handling o malloc's failures within libc/yp/yplib.c routines Message-ID: <200507122045.j6CKjQ9d017184@kulesh.obluda.cz> Resent-Message-ID: <200507122050.j6CKoGRp084293@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83349
>Category: bin
>Synopsis: [ PATCH ] improper handling o malloc's failures within libc/yp/yplib.c routines
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 12 20:50:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libc/yp/yplib.c,v 1.45.6.1 2005/05/13 17:06:52 ume
>Description:
Improper handling of malloc failures can cause NULL dereference and
memory leaking within yp_* routines.
>How-To-Repeat:
>Fix:
--- patch begins here ---
--- lib/libc/yp/yplib.c.ORIG Mon May 16 00:06:44 2005
+++ lib/libc/yp/yplib.c Tue Jul 12 22:36:33 2005
@@ -331,6 +331,8 @@
if (ysd == NULL) {
ysd = (struct dom_binding *)malloc(sizeof *ysd);
+ if (ysd == NULL)
+ return(YPERR_RESRC);
bzero((char *)ysd, sizeof *ysd);
ysd->dom_socket = -1;
ysd->dom_vers = 0;
@@ -675,11 +677,18 @@
*/
*outvallen = yprv.val.valdat_len;
*outval = (char *)malloc(*outvallen+1);
+ if (*outval == NULL) {
+ _yp_unbind(ysd);
+ *outvallen = 0;
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprv.val.valdat_val, *outval, *outvallen);
(*outval)[*outvallen] = '\0';
YPUNLOCK();
return (0);
}
+ _yp_unbind(ysd);
#endif
again:
@@ -705,6 +714,13 @@
if (!(r = ypprot_err(yprv.stat))) {
*outvallen = yprv.val.valdat_len;
*outval = (char *)malloc(*outvallen+1);
+ if (*outval == NULL) {
+ _yp_unbind(ysd);
+ *outvallen = 0;
+ xdr_free((xdrproc_t)xdr_ypresp_val, &yprv);
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprv.val.valdat_val, *outval, *outvallen);
(*outval)[*outvallen] = '\0';
#ifdef YPMATCHCACHE
@@ -783,10 +799,25 @@
if (!(r = ypprot_err(yprkv.stat))) {
*outkeylen = yprkv.key.keydat_len;
*outkey = (char *)malloc(*outkeylen+1);
+ if (*outkey == NULL) {
+ _yp_unbind(ysd);
+ *outkeylen = 0;
+ xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprkv.key.keydat_val, *outkey, *outkeylen);
(*outkey)[*outkeylen] = '\0';
*outvallen = yprkv.val.valdat_len;
*outval = (char *)malloc(*outvallen+1);
+ if (*outval == NULL) {
+ free(*outkey);
+ _yp_unbind(ysd);
+ *outkeylen = *outvallen = 0;
+ xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprkv.val.valdat_val, *outval, *outvallen);
(*outval)[*outvallen] = '\0';
}
@@ -843,10 +874,25 @@
if (!(r = ypprot_err(yprkv.stat))) {
*outkeylen = yprkv.key.keydat_len;
*outkey = (char *)malloc(*outkeylen+1);
+ if (*outkey == NULL) {
+ _yp_unbind(ysd);
+ *outkeylen = 0;
+ xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprkv.key.keydat_val, *outkey, *outkeylen);
(*outkey)[*outkeylen] = '\0';
*outvallen = yprkv.val.valdat_len;
*outval = (char *)malloc(*outvallen+1);
+ if (*outval == NULL) {
+ free(*outkey);
+ _yp_unbind(ysd);
+ *outkeylen = *outvallen = 0;
+ xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprkv.val.valdat_val, *outval, *outvallen);
(*outval)[*outvallen] = '\0';
}
--- patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507122045.j6CKjQ9d017184>