From owner-svn-src-head@FreeBSD.ORG  Tue Nov 29 08:16:14 2011
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BFE091065672;
	Tue, 29 Nov 2011 08:16:14 +0000 (UTC)
	(envelope-from delphij@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id AF69B8FC0A;
	Tue, 29 Nov 2011 08:16:14 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id pAT8GErL030805;
	Tue, 29 Nov 2011 08:16:14 GMT (envelope-from delphij@svn.freebsd.org)
Received: (from delphij@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id pAT8GENU030803;
	Tue, 29 Nov 2011 08:16:14 GMT (envelope-from delphij@svn.freebsd.org)
Message-Id: <201111290816.pAT8GENU030803@svn.freebsd.org>
From: Xin LI <delphij@FreeBSD.org>
Date: Tue, 29 Nov 2011 08:16:14 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r228119 - head/usr.sbin/mfiutil
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
	<svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2011 08:16:14 -0000

Author: delphij
Date: Tue Nov 29 08:16:14 2011
New Revision: 228119
URL: http://svn.freebsd.org/changeset/base/228119

Log:
  In build_volume(), check if arrays is allocated before traversing its
  items.  While parsing the arrays input, it's possible that we reach the
  error path before initializing the 'arrays' pointer, which in turn leads
  to a NULL deference.
  
  Submitted by:	Garrett Cooper
  MFC after:	1 week

Modified:
  head/usr.sbin/mfiutil/mfi_config.c

Modified: head/usr.sbin/mfiutil/mfi_config.c
==============================================================================
--- head/usr.sbin/mfiutil/mfi_config.c	Tue Nov 29 07:59:45 2011	(r228118)
+++ head/usr.sbin/mfiutil/mfi_config.c	Tue Nov 29 08:16:14 2011	(r228119)
@@ -820,9 +820,11 @@ error:
 	free(config);
 	free(state.volumes);
 	free(state.arrays);
-	for (i = 0; i < narrays; i++)
-		free(arrays[i].drives);
-	free(arrays);
+	if (arrays != NULL) {
+		for (i = 0; i < narrays; i++)
+			free(arrays[i].drives);
+		free(arrays);
+	}
 	close(fd);
 
 	return (error);