Date: Wed, 22 Mar 2017 13:28:24 -0500 From: Pedro Giffuni <pfg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: Re: svn commit: r315725 - stable/11/lib/libc/gen Message-ID: <826A8703-3697-4DB6-9651-32A96A36AD9E@FreeBSD.org> In-Reply-To: <201703221812.v2MICncq040713@repo.freebsd.org> References: <201703221812.v2MICncq040713@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Il giorno 22 mar 2017, alle ore 13:12, Pedro F. Giffuni = <pfg@FreeBSD.org> ha scritto: >=20 > Author: pfg > Date: Wed Mar 22 18:12:48 2017 > New Revision: 315725 > URL: https://svnweb.freebsd.org/changeset/base/315725 >=20 > Log: > MFC r315720 (from cem@) > scandir: Fix NULL dereference, uninitialized value use in error case >=20 > This bug was introduced in r315095. Given that it obviously is a bug = and > we can't afford to have such creatures in libc, do an early merge, >=20 This deserves further explanation: it was done now, before the regular 3 = days before MFC because I will be doing a highly risky operation in my HD (MBR=E2=80=94> = GPT) and may not be able to respond in a while. It is well know cem@ doesn=E2=80=99t do MFCs and the bug was obvious = enough that we wanted it so now was better than in an undetermined future. Pedro. > Reported by: Coverity > CIDs: 1329566, 1372625 > Sponsored by: Dell EMC Isilon >=20 > Modified: > stable/11/lib/libc/gen/scandir.c > Directory Properties: > stable/11/ (props changed) >=20 > Modified: stable/11/lib/libc/gen/scandir.c > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- stable/11/lib/libc/gen/scandir.c Wed Mar 22 17:56:46 2017 = (r315724) > +++ stable/11/lib/libc/gen/scandir.c Wed Mar 22 18:12:48 2017 = (r315725) > @@ -89,12 +89,12 @@ scandir(const char *dirname, struct dire > if ((dirp =3D opendir(dirname)) =3D=3D NULL) > return(-1); >=20 > + numitems =3D 0; > arraysz =3D 32; /* initial estimate of the array size */ > names =3D (struct dirent **)malloc(arraysz * sizeof(struct = dirent *)); > if (names =3D=3D NULL) > goto fail; >=20 > - numitems =3D 0; > while ((d =3D readdir(dirp)) !=3D NULL) { > if (select !=3D NULL && !SELECT(d)) > continue; /* just selected names */ >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?826A8703-3697-4DB6-9651-32A96A36AD9E>