bin/83349: [ PATCH ] improper handling o malloc's failures within
libc/yp/yplib.c routines
Dan Lukes
dan at obluda.cz
Tue Jul 12 20:50:17 GMT 2005
>Number: 83349
>Category: bin
>Synopsis: [ PATCH ] improper handling o malloc's failures within libc/yp/yplib.c routines
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 12 20:50:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libc/yp/yplib.c,v 1.45.6.1 2005/05/13 17:06:52 ume
>Description:
Improper handling of malloc failures can cause NULL dereference and
memory leaking within yp_* routines.
>How-To-Repeat:
>Fix:
--- patch begins here ---
--- lib/libc/yp/yplib.c.ORIG Mon May 16 00:06:44 2005
+++ lib/libc/yp/yplib.c Tue Jul 12 22:36:33 2005
@@ -331,6 +331,8 @@
if (ysd == NULL) {
ysd = (struct dom_binding *)malloc(sizeof *ysd);
+ if (ysd == NULL)
+ return(YPERR_RESRC);
bzero((char *)ysd, sizeof *ysd);
ysd->dom_socket = -1;
ysd->dom_vers = 0;
@@ -675,11 +677,18 @@
*/
*outvallen = yprv.val.valdat_len;
*outval = (char *)malloc(*outvallen+1);
+ if (*outval == NULL) {
+ _yp_unbind(ysd);
+ *outvallen = 0;
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprv.val.valdat_val, *outval, *outvallen);
(*outval)[*outvallen] = '\0';
YPUNLOCK();
return (0);
}
+ _yp_unbind(ysd);
#endif
again:
@@ -705,6 +714,13 @@
if (!(r = ypprot_err(yprv.stat))) {
*outvallen = yprv.val.valdat_len;
*outval = (char *)malloc(*outvallen+1);
+ if (*outval == NULL) {
+ _yp_unbind(ysd);
+ *outvallen = 0;
+ xdr_free((xdrproc_t)xdr_ypresp_val, &yprv);
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprv.val.valdat_val, *outval, *outvallen);
(*outval)[*outvallen] = '\0';
#ifdef YPMATCHCACHE
@@ -783,10 +799,25 @@
if (!(r = ypprot_err(yprkv.stat))) {
*outkeylen = yprkv.key.keydat_len;
*outkey = (char *)malloc(*outkeylen+1);
+ if (*outkey == NULL) {
+ _yp_unbind(ysd);
+ *outkeylen = 0;
+ xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprkv.key.keydat_val, *outkey, *outkeylen);
(*outkey)[*outkeylen] = '\0';
*outvallen = yprkv.val.valdat_len;
*outval = (char *)malloc(*outvallen+1);
+ if (*outval == NULL) {
+ free(*outkey);
+ _yp_unbind(ysd);
+ *outkeylen = *outvallen = 0;
+ xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprkv.val.valdat_val, *outval, *outvallen);
(*outval)[*outvallen] = '\0';
}
@@ -843,10 +874,25 @@
if (!(r = ypprot_err(yprkv.stat))) {
*outkeylen = yprkv.key.keydat_len;
*outkey = (char *)malloc(*outkeylen+1);
+ if (*outkey == NULL) {
+ _yp_unbind(ysd);
+ *outkeylen = 0;
+ xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprkv.key.keydat_val, *outkey, *outkeylen);
(*outkey)[*outkeylen] = '\0';
*outvallen = yprkv.val.valdat_len;
*outval = (char *)malloc(*outvallen+1);
+ if (*outval == NULL) {
+ free(*outkey);
+ _yp_unbind(ysd);
+ *outkeylen = *outvallen = 0;
+ xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+ YPUNLOCK();
+ return(YPERR_RESRC);
+ }
bcopy(yprkv.val.valdat_val, *outval, *outvallen);
(*outval)[*outvallen] = '\0';
}
--- patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list