bin/83344: [ PATCH ] Improper handling of malloc failures within libc's RPC functions

Dan Lukes dan at obluda.cz
Tue Jul 12 19:00:19 GMT 2005 

>Number:         83344
>Category:       bin
>Synopsis:       [ PATCH ] Improper handling of malloc failures within libc's RPC functions
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 12 19:00:10 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Dan Lukes
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libc/rpc/rpcb_clnt.c,v 1.13 2003/10/29 09:22:49 mbr

>Description:
	Improper handling of malloc failures cause the memory leak.

	Improper checking of targaddr parameter within getclnthandle() may
cause dereferencing of NULL

>How-To-Repeat:
>Fix:

--- patch begins here ---
--- lib/libc/rpc/rpcb_clnt.c.ORIG	Fri Nov 14 03:22:48 2003
+++ lib/libc/rpc/rpcb_clnt.c	Tue Jul 12 20:26:30 2005
@@ -239,11 +239,21 @@
 	ad_cache->ac_taddr = (struct netbuf *)malloc(sizeof (struct netbuf));
 	if (!ad_cache->ac_host || !ad_cache->ac_netid || !ad_cache->ac_taddr ||
 		(uaddr && !ad_cache->ac_uaddr)) {
+		free(ad_cache->ac_host);
+		free(ad_cache->ac_netid);
+		free(ad_cache->ac_uaddr);
+		free(ad_cache->ac_taddr);
+		free(ad_cache);
 		return;
 	}
 	ad_cache->ac_taddr->len = ad_cache->ac_taddr->maxlen = taddr->len;
 	ad_cache->ac_taddr->buf = (char *) malloc(taddr->len);
 	if (ad_cache->ac_taddr->buf == NULL) {
+		free(ad_cache->ac_host);
+		free(ad_cache->ac_netid);
+		free(ad_cache->ac_uaddr);
+		free(ad_cache->ac_taddr);
+		free(ad_cache);
 		return;
 	}
 	memcpy(ad_cache->ac_taddr->buf, taddr->buf, taddr->len);
@@ -375,9 +385,15 @@
 		} else {
 			struct sockaddr_un sun;
 
-			*targaddr = malloc(sizeof(sun.sun_path));
-			strncpy(*targaddr, _PATH_RPCBINDSOCK,
-			    sizeof(sun.sun_path));
+			if (targaddr) {
+				*targaddr = malloc(sizeof(sun.sun_path));
+				if (*targaddr == NULL) {
+					CLNT_DESTROY(client);
+					return(NULL);
+				}
+				strncpy(*targaddr, _PATH_RPCBINDSOCK,
+				    sizeof(sun.sun_path));
+			}
 			return (client);
 		}
 	} else {
--- patch ends here ---

	Remember the free(NULL) is correct construction, so it's not
necesarry to do something like if (x) free(x);
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list