From owner-svn-src-all@FreeBSD.ORG  Tue Feb  7 04:06:21 2012
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 84B50106566C;
	Tue,  7 Feb 2012 04:06:21 +0000 (UTC)
	(envelope-from emaste@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 701EC8FC12;
	Tue,  7 Feb 2012 04:06:21 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q1746Lrn067983;
	Tue, 7 Feb 2012 04:06:21 GMT (envelope-from emaste@svn.freebsd.org)
Received: (from emaste@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id q1746Lm3067981;
	Tue, 7 Feb 2012 04:06:21 GMT (envelope-from emaste@svn.freebsd.org)
Message-Id: <201202070406.q1746Lm3067981@svn.freebsd.org>
From: Ed Maste <emaste@FreeBSD.org>
Date: Tue, 7 Feb 2012 04:06:21 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r231113 - stable/8/usr.sbin/mfiutil
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2012 04:06:21 -0000

Author: emaste
Date: Tue Feb  7 04:06:21 2012
New Revision: 231113
URL: http://svn.freebsd.org/changeset/base/231113

Log:
  MFC r227893 and r228119:
  
    Avoid double free creating a new RAID with invalid command line
    arguments.
  
    In build_volume(), check if arrays is allocated before traversing its
    items.  While parsing the arrays input, it's possible that we reach the
    error path before initializing the 'arrays' pointer, which in turn leads
    to a NULL deference.

Modified:
  stable/8/usr.sbin/mfiutil/mfi_config.c
Directory Properties:
  stable/8/usr.sbin/mfiutil/   (props changed)

Modified: stable/8/usr.sbin/mfiutil/mfi_config.c
==============================================================================
--- stable/8/usr.sbin/mfiutil/mfi_config.c	Tue Feb  7 04:03:39 2012	(r231112)
+++ stable/8/usr.sbin/mfiutil/mfi_config.c	Tue Feb  7 04:06:21 2012	(r231113)
@@ -348,6 +348,7 @@ parse_array(int fd, int raid_type, char 
 		error = mfi_lookup_drive(fd, cp, &device_id);
 		if (error) {
 			free(info->drives);
+			info->drives = NULL;
 			return (error);
 		}
 
@@ -355,12 +356,14 @@ parse_array(int fd, int raid_type, char 
 			error = errno;
 			warn("Failed to fetch drive info for drive %s", cp);
 			free(info->drives);
+			info->drives = NULL;
 			return (error);
 		}
 
 		if (pinfo->fw_state != MFI_PD_STATE_UNCONFIGURED_GOOD) {
 			warnx("Drive %u is not available", device_id);
 			free(info->drives);
+			info->drives = NULL;
 			return (EINVAL);
 		}
 	}
@@ -817,9 +820,11 @@ error:
 	free(config);
 	free(state.volumes);
 	free(state.arrays);
-	for (i = 0; i < narrays; i++)
-		free(arrays[i].drives);
-	free(arrays);
+	if (arrays != NULL) {
+		for (i = 0; i < narrays; i++)
+			free(arrays[i].drives);
+		free(arrays);
+	}
 	close(fd);
 
 	return (error);