svn commit: r299821 - head/sbin/routed

Sun May 15 02:30:35 UTC 2016

Author: pfg
Date: Sun May 15 02:30:34 2016
New Revision: 299821
URL: https://svnweb.freebsd.org/changeset/base/299821

Log:
  routed(8): Avoid NULL de-reference and two possible memory leaks.
  
  The reports and fixes are straightforward but it's nice to be able
  to confirm against NetBSD.
  
  CID:		271080, 272306, 272307
  Obtained from:	NetBSD (CVS ref. 1.21 - 1.23)
  MFC after:	2 weeks.

Modified:
  head/sbin/routed/parms.c

Modified: head/sbin/routed/parms.c
==============================================================================

--- head/sbin/routed/parms.c	Sun May 15 01:15:20 2016	(r299820)
+++ head/sbin/routed/parms.c	Sun May 15 02:30:34 2016	(r299821)
@@ -588,8 +588,10 @@ parse_parms(char *line,
 			intnetp->intnet_metric = (int)strtol(val+1,&p,0);
 			if (*p != '\0'
 			    || intnetp->intnet_metric <= 0
-			    || intnetp->intnet_metric >= HOPCNT_INFINITY)
+			    || intnetp->intnet_metric >= HOPCNT_INFINITY) {
+				free(intnetp);
 				return bad_str(line);
+			}
 		}
 		if (!getnet(buf, &intnetp->intnet_addr, &intnetp->intnet_mask)
 		    || intnetp->intnet_mask == HOST_MASK
@@ -670,7 +672,7 @@ parse_parms(char *line,
 			 * The parm_net stuff is needed to allow several
 			 * -F settings.
 			 */
-			if (!getnet(val0, &addr, &mask)
+			if (val0 == NULL || !getnet(val0, &addr, &mask)
 			    || parm.parm_name[0] != '\0')
 				return bad_str(tgt);
 			parm.parm_net = addr;
@@ -681,6 +683,8 @@ parse_parms(char *line,
 			/* since cleartext passwords are so weak allow
 			 * them anywhere
 			 */
+			if (val0 == NULL)
+				return bad_str("no passwd");
 			msg = get_passwd(tgt,val0,&parm,RIP_AUTH_PW,1);
 			if (msg) {
 				*val0 = '\0';
@@ -812,8 +816,10 @@ parse_parms(char *line,
 				    || !getnet(buf2, &tg->tgate_nets[i].net,
 					       &tg->tgate_nets[i].mask)
 				    || tg->tgate_nets[i].net == RIP_DEFAULT
-				    || tg->tgate_nets[i].mask == 0)
+				    || tg->tgate_nets[i].mask == 0) {
+					free(tg);
 					return bad_str(tgt);
+				}
 				i++;
 			}
 			tg->tgate_next = tgates;
