bin/83340: [patch] setnetgrent() and supporting functions don' t check malloc for failures

Guy Helmer ghelmer at palisadesystems.com
Wed Jan 4 21:50:13 UTC 2012


The following reply was made to PR bin/83340; it has been noted by GNATS.

From: Guy Helmer <ghelmer at palisadesystems.com>
To: bug-followup at FreeBSD.org, dan at obluda.cz
Cc:  
Subject: Re: bin/83340: [patch] setnetgrent() and supporting functions don&#39;t check malloc for failures
Date: Wed, 4 Jan 2012 15:17:13 -0600

 I have updated the patch a bit to resolve the possibility of a memory =
 leak in parse_netgrp() if an ng_str[] element allocation fails, and to =
 prevent corrupting the grouphead.gr chain in the event any allocation =
 fails. However, I don't have an environment handy to test this so if you =
 could check this before I commit it, I would appreciate it.
 
 Index: getnetgrent.c
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- getnetgrent.c       (revision 229512)
 +++ getnetgrent.c       (working copy)
 @@ -203,9 +203,7 @@
                         if (parse_netgrp(group))
                                 endnetgrent();
                         else {
 -                               grouphead.grname =3D (char *)
 -                                       malloc(strlen(group) + 1);
 -                               strcpy(grouphead.grname, group);
 +                               grouphead.grname =3D strdup(group);
                         }
                         if (netf)
                                 fclose(netf);
 @@ -417,7 +415,7 @@
  parse_netgrp(const char *group)
  {
         char *spos, *epos;
 -       int len, strpos;
 +       int len, strpos, freepos;
  #ifdef DEBUG
         int fields;
  #endif
 @@ -454,9 +452,9 @@
         while (pos !=3D NULL && *pos !=3D '\0') {
                 if (*pos =3D=3D '(') {
                         grp =3D (struct netgrp *)malloc(sizeof (struct =
 netgrp));
 +                       if (grp =3D=3D NULL)
 +                               return(1);
                         bzero((char *)grp, sizeof (struct netgrp));
 -                       grp->ng_next =3D grouphead.gr;
 -                       grouphead.gr =3D grp;
                         pos++;
                         gpos =3D strsep(&pos, ")");
  #ifdef DEBUG
 @@ -477,6 +475,13 @@
                                         if (len > 0) {
                                                 grp->ng_str[strpos] =3D  =
 (char *)
                                                         malloc(len + 1);
 +                                               if (grp->ng_str[strpos] =
 =3D=3D NULL) {
 +                                                       for (freepos =3D =
 0; freepos < strpos; freepos++)
 +                                                               if =
 (grp->ng_str[freepos] !=3D NULL)
 +                                                                       =
 free(grp->ng_str[freepos]);
 +                                                       free(grp);
 +                                                       return(1);
 +                                               }
                                                 bcopy(spos, =
 grp->ng_str[strpos],
                                                         len + 1);
                                         }
 @@ -490,6 +495,8 @@
                                         grp->ng_str[strpos] =3D NULL;
                                 }
                         }
 +                       grp->ng_next =3D grouphead.gr;
 +                       grouphead.gr =3D grp;
  #ifdef DEBUG
                         /*
                          * Note: on other platforms, malformed netgroup
 @@ -526,7 +533,7 @@
  static struct linelist *
  read_for_group(const char *group)
  {
 -       char *pos, *spos, *linep, *olinep;
 +       char *pos, *spos, *linep;
         int len, olen;
         int cont;
         struct linelist *lp;
 @@ -534,6 +541,7 @@
  #ifdef YP
         char *result;
         int resultlen;
 +       linep =3D NULL;
 =20
         while (_netgr_yp_enabled || fgets(line, LINSIZ, netf) !=3D NULL) =
 {
                 if (_netgr_yp_enabled) {
 @@ -554,6 +562,7 @@
                         free(result);
                 }
  #else
 +       linep =3D NULL;
         while (fgets(line, LINSIZ, netf) !=3D NULL) {
  #endif
                 pos =3D (char *)&line;
 @@ -576,8 +585,14 @@
                         pos++;
                 if (*pos !=3D '\n' && *pos !=3D '\0') {
                         lp =3D (struct linelist *)malloc(sizeof (*lp));
 +                       if (lp =3D=3D NULL)=20
 +                               return(NULL);
                         lp->l_parsed =3D 0;
                         lp->l_groupname =3D (char *)malloc(len + 1);
 +                       if (lp->l_groupname =3D=3D NULL) {
 +                               free(lp);
 +                               return(NULL);
 +                       }
                         bcopy(spos, lp->l_groupname, len);
                         *(lp->l_groupname + len) =3D '\0';
                         len =3D strlen(pos);
 @@ -595,15 +610,15 @@
                                 } else
                                         cont =3D 0;
                                 if (len > 0) {
 -                                       linep =3D (char *)malloc(olen + =
 len + 1);
 -                                       if (olen > 0) {
 -                                               bcopy(olinep, linep, =
 olen);
 -                                               free(olinep);
 +                                       linep =3D (char =
 *)reallocf(linep, olen + len + 1);
 +                                       if (linep =3D=3D NULL) {
 +                                               free(lp->l_groupname);
 +                                               free(lp);
 +                                               return(NULL);
                                         }
                                         bcopy(pos, linep + olen, len);
                                         olen +=3D len;
                                         *(linep + olen) =3D '\0';
 -                                       olinep =3D linep;
                                 }
                                 if (cont) {
                                         if (fgets(line, LINSIZ, netf)) {
 @@ -634,5 +649,5 @@
          */
         rewind(netf);
  #endif
 -       return ((struct linelist *)0);
 +       return (NULL);
  }
 
 
 --------
 This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.


More information about the freebsd-bugs mailing list