Date: Wed, 22 Mar 2017 17:37:47 +0000 (UTC) From: Conrad Meyer <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r315720 - head/lib/libc/gen Message-ID: <201703221737.v2MHblI5024060@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Wed Mar 22 17:37:47 2017 New Revision: 315720 URL: https://svnweb.freebsd.org/changeset/base/315720 Log: scandir: Fix NULL dereference, uninitialized value use in error case If opendir succeeds but malloc fails, numitems was used uninitialized in error handling under the 'fail' label. If it happened to have a non-zero value, the NULL 'names' was dereferenced. Reported by: Coverity CIDs: 1329566, 1372625 Sponsored by: Dell EMC Isilon Modified: head/lib/libc/gen/scandir.c Modified: head/lib/libc/gen/scandir.c ============================================================================== --- head/lib/libc/gen/scandir.c Wed Mar 22 17:33:57 2017 (r315719) +++ head/lib/libc/gen/scandir.c Wed Mar 22 17:37:47 2017 (r315720) @@ -89,12 +89,12 @@ scandir(const char *dirname, struct dire if ((dirp = opendir(dirname)) == NULL) return(-1); + numitems = 0; arraysz = 32; /* initial estimate of the array size */ names = (struct dirent **)malloc(arraysz * sizeof(struct dirent *)); if (names == NULL) goto fail; - numitems = 0; while ((d = readdir(dirp)) != NULL) { if (select != NULL && !SELECT(d)) continue; /* just selected names */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201703221737.v2MHblI5024060>