bin/83340: [ PATCH ] setnetgrent() and supporting functions don't check malloc for failures

Dan Lukes dan at obluda.cz
Tue Jul 12 17:30:17 GMT 2005 

>Number:         83340
>Category:       bin
>Synopsis:       [ PATCH ] setnetgrent() and supporting functions don't check malloc for failures
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 12 17:30:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Dan Lukes
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libc/gen/getnetgrent.c,v 1.31.2.1 2004/11/28 14:10:16 bz

>Description:
	setnetgrent(), parse_netgrp() called from it, read_for_group()
called from parse_netgrp() don't check malloc for failures

>How-To-Repeat:
>Fix:

--- patch begins here ---
--- lib/libc/gen/getnetgrent.c.ORIG	Tue Nov 30 14:52:11 2004
+++ lib/libc/gen/getnetgrent.c	Tue Jul 12 19:12:22 2005
@@ -207,9 +207,7 @@
 			if (parse_netgrp(group))
 				endnetgrent();
 			else {
-				grouphead.grname = (char *)
-					malloc(strlen(group) + 1);
-				strcpy(grouphead.grname, group);
+				grouphead.grname = strdup(group);
 			}
 			if (netf)
 				fclose(netf);
@@ -448,6 +446,8 @@
 	while (pos != NULL && *pos != '\0') {
 		if (*pos == '(') {
 			grp = (struct netgrp *)malloc(sizeof (struct netgrp));
+			if (grp == NULL)
+				return(1);
 			bzero((char *)grp, sizeof (struct netgrp));
 			grp->ng_next = grouphead.gr;
 			grouphead.gr = grp;
@@ -471,6 +471,8 @@
 					if (len > 0) {
 						grp->ng_str[strpos] =  (char *)
 							malloc(len + 1);
+						if (grp->ng_str[strpos] == NULL)
+							return(1);
 						bcopy(spos, grp->ng_str[strpos],
 							len + 1);
 					}
@@ -520,7 +522,7 @@
 static struct linelist *
 read_for_group(const char *group)
 {
-	char *pos, *spos, *linep, *olinep;
+	char *pos, *spos, *linep;
 	int len, olen;
 	int cont;
 	struct linelist *lp;
@@ -570,8 +572,14 @@
 			pos++;
 		if (*pos != '\n' && *pos != '\0') {
 			lp = (struct linelist *)malloc(sizeof (*lp));
+			if (lp == NULL) 
+				return(NULL);
 			lp->l_parsed = 0;
 			lp->l_groupname = (char *)malloc(len + 1);
+			if (lp->l_groupname == NULL) {
+				free(lp);
+				return(NULL);
+			}
 			bcopy(spos, lp->l_groupname, len);
 			*(lp->l_groupname + len) = '\0';
 			len = strlen(pos);
@@ -589,15 +597,15 @@
 				} else
 					cont = 0;
 				if (len > 0) {
-					linep = (char *)malloc(olen + len + 1);
-					if (olen > 0) {
-						bcopy(olinep, linep, olen);
-						free(olinep);
+					linep = (char *)reallocf(linep, olen + len + 1);
+					if (linep == NULL) {
+						free(lp->l_groupname);
+						free(lp);
+						return(NULL);
 					}
 					bcopy(pos, linep + olen, len);
 					olen += len;
 					*(linep + olen) = '\0';
-					olinep = linep;
 				}
 				if (cont) {
 					if (fgets(line, LINSIZ, netf)) {
@@ -628,5 +636,5 @@
 	 */
 	rewind(netf);
 #endif
-	return ((struct linelist *)0);
+	return (NULL);
 }
--- patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list