svn commit: r300624 - head/lib/libc/rpc
Garrett Cooper
ngie at FreeBSD.org
Tue May 24 19:52:06 UTC 2016
Author: ngie
Date: Tue May 24 19:52:05 2016
New Revision: 300624
URL: https://svnweb.freebsd.org/changeset/base/300624
Log:
Fix up r300385
I accidentally glossed over the fact that tmp is manipulated via strchr, so
if we tried to free `tmp` after r300385, it would have crashed.
Create a separate pointer (tmp2) to track the original allocation of `tmp`,
and free `tmp2` if `p->nc_lookups` can't be malloced
MFC after: 4 days
X-MFC with: r300385
Reported by: Coverity
CID: 1356026
Sponsored by: EMC / Isilon Storage Division
Modified:
head/lib/libc/rpc/getnetconfig.c
Modified: head/lib/libc/rpc/getnetconfig.c
==============================================================================
--- head/lib/libc/rpc/getnetconfig.c Tue May 24 19:26:58 2016 (r300623)
+++ head/lib/libc/rpc/getnetconfig.c Tue May 24 19:52:05 2016 (r300624)
@@ -692,7 +692,7 @@ static struct netconfig *
dup_ncp(struct netconfig *ncp)
{
struct netconfig *p;
- char *tmp;
+ char *tmp, *tmp2;
u_int i;
if ((tmp=malloc(MAXNETCONFIGLINE)) == NULL)
@@ -701,6 +701,7 @@ dup_ncp(struct netconfig *ncp)
free(tmp);
return(NULL);
}
+ tmp2 = tmp;
/*
* First we dup all the data from matched netconfig buffer. Then we
* adjust some of the member pointer to a pre-allocated buffer where
@@ -722,7 +723,7 @@ dup_ncp(struct netconfig *ncp)
if (p->nc_lookups == NULL) {
free(p->nc_netid);
free(p);
- free(tmp);
+ free(tmp2);
return(NULL);
}
for (i=0; i < p->nc_nlookups; i++) {
More information about the svn-src-head
mailing list