Date: Tue, 12 Jul 2005 19:23:52 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/83340: [ PATCH ] setnetgrent() and supporting functions don't check malloc for failures Message-ID: <200507121723.j6CHNq2D016014@kulesh.obluda.cz> Resent-Message-ID: <200507121730.j6CHUGPb061766@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83340
>Category: bin
>Synopsis: [ PATCH ] setnetgrent() and supporting functions don't check malloc for failures
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 12 17:30:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libc/gen/getnetgrent.c,v 1.31.2.1 2004/11/28 14:10:16 bz
>Description:
setnetgrent(), parse_netgrp() called from it, read_for_group()
called from parse_netgrp() don't check malloc for failures
>How-To-Repeat:
>Fix:
--- patch begins here ---
--- lib/libc/gen/getnetgrent.c.ORIG Tue Nov 30 14:52:11 2004
+++ lib/libc/gen/getnetgrent.c Tue Jul 12 19:12:22 2005
@@ -207,9 +207,7 @@
if (parse_netgrp(group))
endnetgrent();
else {
- grouphead.grname = (char *)
- malloc(strlen(group) + 1);
- strcpy(grouphead.grname, group);
+ grouphead.grname = strdup(group);
}
if (netf)
fclose(netf);
@@ -448,6 +446,8 @@
while (pos != NULL && *pos != '\0') {
if (*pos == '(') {
grp = (struct netgrp *)malloc(sizeof (struct netgrp));
+ if (grp == NULL)
+ return(1);
bzero((char *)grp, sizeof (struct netgrp));
grp->ng_next = grouphead.gr;
grouphead.gr = grp;
@@ -471,6 +471,8 @@
if (len > 0) {
grp->ng_str[strpos] = (char *)
malloc(len + 1);
+ if (grp->ng_str[strpos] == NULL)
+ return(1);
bcopy(spos, grp->ng_str[strpos],
len + 1);
}
@@ -520,7 +522,7 @@
static struct linelist *
read_for_group(const char *group)
{
- char *pos, *spos, *linep, *olinep;
+ char *pos, *spos, *linep;
int len, olen;
int cont;
struct linelist *lp;
@@ -570,8 +572,14 @@
pos++;
if (*pos != '\n' && *pos != '\0') {
lp = (struct linelist *)malloc(sizeof (*lp));
+ if (lp == NULL)
+ return(NULL);
lp->l_parsed = 0;
lp->l_groupname = (char *)malloc(len + 1);
+ if (lp->l_groupname == NULL) {
+ free(lp);
+ return(NULL);
+ }
bcopy(spos, lp->l_groupname, len);
*(lp->l_groupname + len) = '\0';
len = strlen(pos);
@@ -589,15 +597,15 @@
} else
cont = 0;
if (len > 0) {
- linep = (char *)malloc(olen + len + 1);
- if (olen > 0) {
- bcopy(olinep, linep, olen);
- free(olinep);
+ linep = (char *)reallocf(linep, olen + len + 1);
+ if (linep == NULL) {
+ free(lp->l_groupname);
+ free(lp);
+ return(NULL);
}
bcopy(pos, linep + olen, len);
olen += len;
*(linep + olen) = '\0';
- olinep = linep;
}
if (cont) {
if (fgets(line, LINSIZ, netf)) {
@@ -628,5 +636,5 @@
*/
rewind(netf);
#endif
- return ((struct linelist *)0);
+ return (NULL);
}
--- patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507121723.j6CHNq2D016014>