Date: Tue, 12 Jul 2005 23:18:49 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/83352: [ PATCH ] Improper malloc failure handling within cam_device_dup() Message-ID: <200507122118.j6CLInkQ017402@kulesh.obluda.cz> Resent-Message-ID: <200507122120.j6CLK1kd089906@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83352 >Category: bin >Synopsis: [ PATCH ] Improper malloc failure handling within cam_device_dup() >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 12 21:20:01 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Dan Lukes >Release: FreeBSD 5.4-STABLE i386 >Organization: Obludarium >Environment: System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386 lib/libcam/camlib.c,v 1.12 2004/07/29 15:35:45 scottl >Description: Improper malloc failure handling within cam_device_dup() can cause NULL dereference. BTW, free() can be called with NULL, so 'if(x) free(x)' construct isn't necesarry. >How-To-Repeat: >Fix: --- patch begins here --- --- lib/libcam/camlib.c.ORIG Sun Aug 8 21:03:38 2004 +++ lib/libcam/camlib.c Tue Jul 12 23:01:41 2005 @@ -97,8 +97,7 @@ void cam_freeccb(union ccb *ccb) { - if (ccb != NULL) - free(ccb); + free(ccb); } /* @@ -709,7 +708,6 @@ cam_close_spec_device(dev); - if (dev != NULL) - free(dev); + free(dev); } void @@ -757,6 +755,11 @@ } newdev = malloc(sizeof(struct cam_device)); + if (newdev == NULL) { + snprintf(cam_errbuf, CAM_ERRBUF_SIZE, + "%s: couldn't malloc CAM device structure", func_name); + return(NULL); + } bcopy(device, newdev, sizeof(struct cam_device)); --- patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507122118.j6CLInkQ017402>