bin/83349: [ PATCH ] improper handling o malloc's failures within libc/yp/yplib.c routines

Dan Lukes dan at obluda.cz
Tue Jul 12 20:50:17 GMT 2005


>Number:         83349
>Category:       bin
>Synopsis:       [ PATCH ] improper handling o malloc's failures within libc/yp/yplib.c routines
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 12 20:50:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Dan Lukes
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libc/yp/yplib.c,v 1.45.6.1 2005/05/13 17:06:52 ume

>Description:
	Improper handling of malloc failures can cause NULL dereference and
memory leaking within yp_* routines.

>How-To-Repeat:
>Fix:

--- patch begins here ---
--- lib/libc/yp/yplib.c.ORIG	Mon May 16 00:06:44 2005
+++ lib/libc/yp/yplib.c	Tue Jul 12 22:36:33 2005
@@ -331,6 +331,8 @@
 
 	if (ysd == NULL) {
 		ysd = (struct dom_binding *)malloc(sizeof *ysd);
+		if (ysd == NULL)
+			return(YPERR_RESRC);
 		bzero((char *)ysd, sizeof *ysd);
 		ysd->dom_socket = -1;
 		ysd->dom_vers = 0;
@@ -675,11 +677,18 @@
 */
 		*outvallen = yprv.val.valdat_len;
 		*outval = (char *)malloc(*outvallen+1);
+		if (*outval == NULL) {
+			_yp_unbind(ysd);
+			*outvallen = 0;
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprv.val.valdat_val, *outval, *outvallen);
 		(*outval)[*outvallen] = '\0';
 		YPUNLOCK();
 		return (0);
 	}
+	_yp_unbind(ysd);
 #endif
 
 again:
@@ -705,6 +714,13 @@
 	if (!(r = ypprot_err(yprv.stat))) {
 		*outvallen = yprv.val.valdat_len;
 		*outval = (char *)malloc(*outvallen+1);
+		if (*outval == NULL) {
+			_yp_unbind(ysd);
+			*outvallen = 0;
+			xdr_free((xdrproc_t)xdr_ypresp_val, &yprv);
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprv.val.valdat_val, *outval, *outvallen);
 		(*outval)[*outvallen] = '\0';
 #ifdef YPMATCHCACHE
@@ -783,10 +799,25 @@
 	if (!(r = ypprot_err(yprkv.stat))) {
 		*outkeylen = yprkv.key.keydat_len;
 		*outkey = (char *)malloc(*outkeylen+1);
+		if (*outkey == NULL) {
+			_yp_unbind(ysd);
+			*outkeylen = 0;
+			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprkv.key.keydat_val, *outkey, *outkeylen);
 		(*outkey)[*outkeylen] = '\0';
 		*outvallen = yprkv.val.valdat_len;
 		*outval = (char *)malloc(*outvallen+1);
+		if (*outval == NULL) {
+			free(*outkey);
+			_yp_unbind(ysd);
+			*outkeylen = *outvallen = 0;
+			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprkv.val.valdat_val, *outval, *outvallen);
 		(*outval)[*outvallen] = '\0';
 	}
@@ -843,10 +874,25 @@
 	if (!(r = ypprot_err(yprkv.stat))) {
 		*outkeylen = yprkv.key.keydat_len;
 		*outkey = (char *)malloc(*outkeylen+1);
+		if (*outkey == NULL) {
+			_yp_unbind(ysd);
+			*outkeylen = 0;
+			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprkv.key.keydat_val, *outkey, *outkeylen);
 		(*outkey)[*outkeylen] = '\0';
 		*outvallen = yprkv.val.valdat_len;
 		*outval = (char *)malloc(*outvallen+1);
+		if (*outval == NULL) {
+			free(*outkey);
+			_yp_unbind(ysd);
+			*outkeylen = *outvallen = 0;
+			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprkv.val.valdat_val, *outval, *outvallen);
 		(*outval)[*outvallen] = '\0';
 	}
--- patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list