svn commit: r323519 - head/lib/libefivar
Warner Losh
imp at FreeBSD.org
Wed Sep 13 04:32:24 UTC 2017
Author: imp
Date: Wed Sep 13 04:32:23 2017
New Revision: 323519
URL: https://svnweb.freebsd.org/changeset/base/323519
Log:
Minor fixes to edge cases in efi_get_next_variable_name
Fix allocating more memory for the names (unlikely to be needed, but
still best to get right) to ask for the length the kernel told use we
needed, not the old length of the variable. Mind the proper NUL that
we add in the space we allocate. Free the old name string before we
allcoate a new one to limit what we leak to the last one (free passed
in name for the last one in the list), and detect the last one by rv
!= 0 and errno == ENOENT, rather then just the former to avoid false
positives if errno happens to be ENOENT on entry.
Sponsored by: Netflix
Modified:
head/lib/libefivar/efivar.c
Modified: head/lib/libefivar/efivar.c
==============================================================================
--- head/lib/libefivar/efivar.c Wed Sep 13 03:56:03 2017 (r323518)
+++ head/lib/libefivar/efivar.c Wed Sep 13 04:32:23 2017 (r323519)
@@ -225,8 +225,13 @@ efi_get_next_variable_name(efi_guid_t **guid, char **n
if (efi_open_dev() == -1)
return -1;
+ /*
+ * Always allocate enough for an extra NUL on the end, but don't tell
+ * the IOCTL about it so we can NUL terminate the name before converting
+ * it to UTF8.
+ */
if (buf == NULL)
- buf = malloc(buflen);
+ buf = malloc(buflen + sizeof(efi_char));
again:
efi_var_reset(&var);
@@ -244,21 +249,23 @@ again:
rv = ioctl(efi_fd, EFIIOC_VAR_NEXT, &var);
if (rv == 0 && var.name == NULL) {
/*
- * oops, too little space. Try again.
+ * Variable name not long enough, so allocate more space for the
+ * name and try again. As above, mind the NUL we add.
*/
- void *new = realloc(buf, buflen);
- buflen = var.namesize;
+ void *new = realloc(buf, var.namesize + sizeof(efi_char));
if (new == NULL) {
rv = -1;
errno = ENOMEM;
goto done;
}
+ buflen = var.namesize;
buf = new;
goto again;
}
if (rv == 0) {
- *name = NULL; /* XXX */
+ free(*name); /* Free last name, to avoid leaking */
+ *name = NULL; /* Force ucs2_to_utf8 to malloc new space */
var.name[var.namesize / sizeof(efi_char)] = 0; /* EFI doesn't NUL terminate */
rv = ucs2_to_utf8(var.name, name);
if (rv != 0)
@@ -269,9 +276,11 @@ again:
errout:
/* XXX The linux interface expects name to be a static buffer -- fix or leak memory? */
+ /* XXX for the moment, we free just before we'd leak, but still leak last one */
done:
- if (errno == ENOENT) {
+ if (rv != 0 && errno == ENOENT) {
errno = 0;
+ free(*name); /* Free last name, to avoid leaking */
return 0;
}
More information about the svn-src-head
mailing list