svn commit: r323519 - head/lib/libefivar

Warner Losh imp at FreeBSD.org
Wed Sep 13 04:32:24 UTC 2017 

Author: imp
Date: Wed Sep 13 04:32:23 2017
New Revision: 323519
URL: https://svnweb.freebsd.org/changeset/base/323519

Log:
  Minor fixes to edge cases in efi_get_next_variable_name
  
  Fix allocating more memory for the names (unlikely to be needed, but
  still best to get right) to ask for the length the kernel told use we
  needed, not the old length of the variable. Mind the proper NUL that
  we add in the space we allocate. Free the old name string before we
  allcoate a new one to limit what we leak to the last one (free passed
  in name for the last one in the list), and detect the last one by rv
  != 0 and errno == ENOENT, rather then just the former to avoid false
  positives if errno happens to be ENOENT on entry.
  
  Sponsored by: Netflix

Modified:
  head/lib/libefivar/efivar.c

Modified: head/lib/libefivar/efivar.c
==============================================================================
--- head/lib/libefivar/efivar.c	Wed Sep 13 03:56:03 2017	(r323518)
+++ head/lib/libefivar/efivar.c	Wed Sep 13 04:32:23 2017	(r323519)
@@ -225,8 +225,13 @@ efi_get_next_variable_name(efi_guid_t **guid, char **n
 	if (efi_open_dev() == -1)
 		return -1;
 
+	/*
+	 * Always allocate enough for an extra NUL on the end, but don't tell
+	 * the IOCTL about it so we can NUL terminate the name before converting
+	 * it to UTF8.
+	 */
 	if (buf == NULL)
-		buf = malloc(buflen);
+		buf = malloc(buflen + sizeof(efi_char));
 
 again:
 	efi_var_reset(&var);
@@ -244,21 +249,23 @@ again:
 	rv = ioctl(efi_fd, EFIIOC_VAR_NEXT, &var);
 	if (rv == 0 && var.name == NULL) {
 		/*
-		 * oops, too little space. Try again.
+		 * Variable name not long enough, so allocate more space for the
+		 * name and try again. As above, mind the NUL we add.
 		 */
-		void *new = realloc(buf, buflen);
-		buflen = var.namesize;
+		void *new = realloc(buf, var.namesize + sizeof(efi_char));
 		if (new == NULL) {
 			rv = -1;
 			errno = ENOMEM;
 			goto done;
 		}
+		buflen = var.namesize;
 		buf = new;
 		goto again;
 	}
 
 	if (rv == 0) {
-		*name = NULL; /* XXX */
+		free(*name);			/* Free last name, to avoid leaking */
+		*name = NULL;			/* Force ucs2_to_utf8 to malloc new space */
 		var.name[var.namesize / sizeof(efi_char)] = 0;	/* EFI doesn't NUL terminate */
 		rv = ucs2_to_utf8(var.name, name);
 		if (rv != 0)
@@ -269,9 +276,11 @@ again:
 errout:
 
 	/* XXX The linux interface expects name to be a static buffer -- fix or leak memory? */
+	/* XXX for the moment, we free just before we'd leak, but still leak last one */
 done:
-	if (errno == ENOENT) {
+	if (rv != 0 && errno == ENOENT) {
 		errno = 0;
+		free(*name);			/* Free last name, to avoid leaking */
 		return 0;
 	}

More information about the svn-src-head mailing list