bin/83340: [patch] setnetgrent() and supporting functions
don' t check malloc for failures
Guy Helmer
ghelmer at palisadesystems.com
Wed Jan 4 21:50:13 UTC 2012
The following reply was made to PR bin/83340; it has been noted by GNATS.
From: Guy Helmer <ghelmer at palisadesystems.com>
To: bug-followup at FreeBSD.org, dan at obluda.cz
Cc:
Subject: Re: bin/83340: [patch] setnetgrent() and supporting functions don't check malloc for failures
Date: Wed, 4 Jan 2012 15:17:13 -0600
I have updated the patch a bit to resolve the possibility of a memory =
leak in parse_netgrp() if an ng_str[] element allocation fails, and to =
prevent corrupting the grouphead.gr chain in the event any allocation =
fails. However, I don't have an environment handy to test this so if you =
could check this before I commit it, I would appreciate it.
Index: getnetgrent.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- getnetgrent.c (revision 229512)
+++ getnetgrent.c (working copy)
@@ -203,9 +203,7 @@
if (parse_netgrp(group))
endnetgrent();
else {
- grouphead.grname =3D (char *)
- malloc(strlen(group) + 1);
- strcpy(grouphead.grname, group);
+ grouphead.grname =3D strdup(group);
}
if (netf)
fclose(netf);
@@ -417,7 +415,7 @@
parse_netgrp(const char *group)
{
char *spos, *epos;
- int len, strpos;
+ int len, strpos, freepos;
#ifdef DEBUG
int fields;
#endif
@@ -454,9 +452,9 @@
while (pos !=3D NULL && *pos !=3D '\0') {
if (*pos =3D=3D '(') {
grp =3D (struct netgrp *)malloc(sizeof (struct =
netgrp));
+ if (grp =3D=3D NULL)
+ return(1);
bzero((char *)grp, sizeof (struct netgrp));
- grp->ng_next =3D grouphead.gr;
- grouphead.gr =3D grp;
pos++;
gpos =3D strsep(&pos, ")");
#ifdef DEBUG
@@ -477,6 +475,13 @@
if (len > 0) {
grp->ng_str[strpos] =3D =
(char *)
malloc(len + 1);
+ if (grp->ng_str[strpos] =
=3D=3D NULL) {
+ for (freepos =3D =
0; freepos < strpos; freepos++)
+ if =
(grp->ng_str[freepos] !=3D NULL)
+ =
free(grp->ng_str[freepos]);
+ free(grp);
+ return(1);
+ }
bcopy(spos, =
grp->ng_str[strpos],
len + 1);
}
@@ -490,6 +495,8 @@
grp->ng_str[strpos] =3D NULL;
}
}
+ grp->ng_next =3D grouphead.gr;
+ grouphead.gr =3D grp;
#ifdef DEBUG
/*
* Note: on other platforms, malformed netgroup
@@ -526,7 +533,7 @@
static struct linelist *
read_for_group(const char *group)
{
- char *pos, *spos, *linep, *olinep;
+ char *pos, *spos, *linep;
int len, olen;
int cont;
struct linelist *lp;
@@ -534,6 +541,7 @@
#ifdef YP
char *result;
int resultlen;
+ linep =3D NULL;
=20
while (_netgr_yp_enabled || fgets(line, LINSIZ, netf) !=3D NULL) =
{
if (_netgr_yp_enabled) {
@@ -554,6 +562,7 @@
free(result);
}
#else
+ linep =3D NULL;
while (fgets(line, LINSIZ, netf) !=3D NULL) {
#endif
pos =3D (char *)&line;
@@ -576,8 +585,14 @@
pos++;
if (*pos !=3D '\n' && *pos !=3D '\0') {
lp =3D (struct linelist *)malloc(sizeof (*lp));
+ if (lp =3D=3D NULL)=20
+ return(NULL);
lp->l_parsed =3D 0;
lp->l_groupname =3D (char *)malloc(len + 1);
+ if (lp->l_groupname =3D=3D NULL) {
+ free(lp);
+ return(NULL);
+ }
bcopy(spos, lp->l_groupname, len);
*(lp->l_groupname + len) =3D '\0';
len =3D strlen(pos);
@@ -595,15 +610,15 @@
} else
cont =3D 0;
if (len > 0) {
- linep =3D (char *)malloc(olen + =
len + 1);
- if (olen > 0) {
- bcopy(olinep, linep, =
olen);
- free(olinep);
+ linep =3D (char =
*)reallocf(linep, olen + len + 1);
+ if (linep =3D=3D NULL) {
+ free(lp->l_groupname);
+ free(lp);
+ return(NULL);
}
bcopy(pos, linep + olen, len);
olen +=3D len;
*(linep + olen) =3D '\0';
- olinep =3D linep;
}
if (cont) {
if (fgets(line, LINSIZ, netf)) {
@@ -634,5 +649,5 @@
*/
rewind(netf);
#endif
- return ((struct linelist *)0);
+ return (NULL);
}
--------
This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.
More information about the freebsd-bugs
mailing list