Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Feb 2012 04:03:39 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject:   svn commit: r231112 - stable/9/usr.sbin/mfiutil
Message-ID:  <201202070403.q1743dux067853@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: emaste
Date: Tue Feb  7 04:03:39 2012
New Revision: 231112
URL: http://svn.freebsd.org/changeset/base/231112

Log:
  MFC r227893 and r228119:
  
    Avoid double free creating a new RAID with invalid command line
    arguments.
  
    In build_volume(), check if arrays is allocated before traversing its
    items.  While parsing the arrays input, it's possible that we reach the
    error path before initializing the 'arrays' pointer, which in turn leads
    to a NULL deference.

Modified:
  stable/9/usr.sbin/mfiutil/mfi_config.c
Directory Properties:
  stable/9/usr.sbin/mfiutil/   (props changed)

Modified: stable/9/usr.sbin/mfiutil/mfi_config.c
==============================================================================
--- stable/9/usr.sbin/mfiutil/mfi_config.c	Tue Feb  7 04:00:57 2012	(r231111)
+++ stable/9/usr.sbin/mfiutil/mfi_config.c	Tue Feb  7 04:03:39 2012	(r231112)
@@ -348,6 +348,7 @@ parse_array(int fd, int raid_type, char 
 		error = mfi_lookup_drive(fd, cp, &device_id);
 		if (error) {
 			free(info->drives);
+			info->drives = NULL;
 			return (error);
 		}
 
@@ -355,12 +356,14 @@ parse_array(int fd, int raid_type, char 
 			error = errno;
 			warn("Failed to fetch drive info for drive %s", cp);
 			free(info->drives);
+			info->drives = NULL;
 			return (error);
 		}
 
 		if (pinfo->fw_state != MFI_PD_STATE_UNCONFIGURED_GOOD) {
 			warnx("Drive %u is not available", device_id);
 			free(info->drives);
+			info->drives = NULL;
 			return (EINVAL);
 		}
 	}
@@ -817,9 +820,11 @@ error:
 	free(config);
 	free(state.volumes);
 	free(state.arrays);
-	for (i = 0; i < narrays; i++)
-		free(arrays[i].drives);
-	free(arrays);
+	if (arrays != NULL) {
+		for (i = 0; i < narrays; i++)
+			free(arrays[i].drives);
+		free(arrays);
+	}
 	close(fd);
 
 	return (error);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202070403.q1743dux067853>