bin/83344: [ PATCH ] Improper handling of malloc failures within
libc's RPC functions
Dan Lukes
dan at obluda.cz
Tue Jul 12 19:00:19 GMT 2005
>Number: 83344
>Category: bin
>Synopsis: [ PATCH ] Improper handling of malloc failures within libc's RPC functions
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 12 19:00:10 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libc/rpc/rpcb_clnt.c,v 1.13 2003/10/29 09:22:49 mbr
>Description:
Improper handling of malloc failures cause the memory leak.
Improper checking of targaddr parameter within getclnthandle() may
cause dereferencing of NULL
>How-To-Repeat:
>Fix:
--- patch begins here ---
--- lib/libc/rpc/rpcb_clnt.c.ORIG Fri Nov 14 03:22:48 2003
+++ lib/libc/rpc/rpcb_clnt.c Tue Jul 12 20:26:30 2005
@@ -239,11 +239,21 @@
ad_cache->ac_taddr = (struct netbuf *)malloc(sizeof (struct netbuf));
if (!ad_cache->ac_host || !ad_cache->ac_netid || !ad_cache->ac_taddr ||
(uaddr && !ad_cache->ac_uaddr)) {
+ free(ad_cache->ac_host);
+ free(ad_cache->ac_netid);
+ free(ad_cache->ac_uaddr);
+ free(ad_cache->ac_taddr);
+ free(ad_cache);
return;
}
ad_cache->ac_taddr->len = ad_cache->ac_taddr->maxlen = taddr->len;
ad_cache->ac_taddr->buf = (char *) malloc(taddr->len);
if (ad_cache->ac_taddr->buf == NULL) {
+ free(ad_cache->ac_host);
+ free(ad_cache->ac_netid);
+ free(ad_cache->ac_uaddr);
+ free(ad_cache->ac_taddr);
+ free(ad_cache);
return;
}
memcpy(ad_cache->ac_taddr->buf, taddr->buf, taddr->len);
@@ -375,9 +385,15 @@
} else {
struct sockaddr_un sun;
- *targaddr = malloc(sizeof(sun.sun_path));
- strncpy(*targaddr, _PATH_RPCBINDSOCK,
- sizeof(sun.sun_path));
+ if (targaddr) {
+ *targaddr = malloc(sizeof(sun.sun_path));
+ if (*targaddr == NULL) {
+ CLNT_DESTROY(client);
+ return(NULL);
+ }
+ strncpy(*targaddr, _PATH_RPCBINDSOCK,
+ sizeof(sun.sun_path));
+ }
return (client);
}
} else {
--- patch ends here ---
Remember the free(NULL) is correct construction, so it's not
necesarry to do something like if (x) free(x);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list