Date: Tue, 12 Jul 2005 19:23:52 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/83340: [ PATCH ] setnetgrent() and supporting functions don't check malloc for failures Message-ID: <200507121723.j6CHNq2D016014@kulesh.obluda.cz> Resent-Message-ID: <200507121730.j6CHUGPb061766@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83340 >Category: bin >Synopsis: [ PATCH ] setnetgrent() and supporting functions don't check malloc for failures >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 12 17:30:15 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Dan Lukes >Release: FreeBSD 5.4-STABLE i386 >Organization: >Environment: System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386 lib/libc/gen/getnetgrent.c,v 1.31.2.1 2004/11/28 14:10:16 bz >Description: setnetgrent(), parse_netgrp() called from it, read_for_group() called from parse_netgrp() don't check malloc for failures >How-To-Repeat: >Fix: --- patch begins here --- --- lib/libc/gen/getnetgrent.c.ORIG Tue Nov 30 14:52:11 2004 +++ lib/libc/gen/getnetgrent.c Tue Jul 12 19:12:22 2005 @@ -207,9 +207,7 @@ if (parse_netgrp(group)) endnetgrent(); else { - grouphead.grname = (char *) - malloc(strlen(group) + 1); - strcpy(grouphead.grname, group); + grouphead.grname = strdup(group); } if (netf) fclose(netf); @@ -448,6 +446,8 @@ while (pos != NULL && *pos != '\0') { if (*pos == '(') { grp = (struct netgrp *)malloc(sizeof (struct netgrp)); + if (grp == NULL) + return(1); bzero((char *)grp, sizeof (struct netgrp)); grp->ng_next = grouphead.gr; grouphead.gr = grp; @@ -471,6 +471,8 @@ if (len > 0) { grp->ng_str[strpos] = (char *) malloc(len + 1); + if (grp->ng_str[strpos] == NULL) + return(1); bcopy(spos, grp->ng_str[strpos], len + 1); } @@ -520,7 +522,7 @@ static struct linelist * read_for_group(const char *group) { - char *pos, *spos, *linep, *olinep; + char *pos, *spos, *linep; int len, olen; int cont; struct linelist *lp; @@ -570,8 +572,14 @@ pos++; if (*pos != '\n' && *pos != '\0') { lp = (struct linelist *)malloc(sizeof (*lp)); + if (lp == NULL) + return(NULL); lp->l_parsed = 0; lp->l_groupname = (char *)malloc(len + 1); + if (lp->l_groupname == NULL) { + free(lp); + return(NULL); + } bcopy(spos, lp->l_groupname, len); *(lp->l_groupname + len) = '\0'; len = strlen(pos); @@ -589,15 +597,15 @@ } else cont = 0; if (len > 0) { - linep = (char *)malloc(olen + len + 1); - if (olen > 0) { - bcopy(olinep, linep, olen); - free(olinep); + linep = (char *)reallocf(linep, olen + len + 1); + if (linep == NULL) { + free(lp->l_groupname); + free(lp); + return(NULL); } bcopy(pos, linep + olen, len); olen += len; *(linep + olen) = '\0'; - olinep = linep; } if (cont) { if (fgets(line, LINSIZ, netf)) { @@ -628,5 +636,5 @@ */ rewind(netf); #endif - return ((struct linelist *)0); + return (NULL); } --- patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507121723.j6CHNq2D016014>