Date: Tue, 12 Jul 2005 23:18:49 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/83352: [ PATCH ] Improper malloc failure handling within cam_device_dup() Message-ID: <200507122118.j6CLInkQ017402@kulesh.obluda.cz> Resent-Message-ID: <200507122120.j6CLK1kd089906@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83352
>Category: bin
>Synopsis: [ PATCH ] Improper malloc failure handling within cam_device_dup()
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 12 21:20:01 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libcam/camlib.c,v 1.12 2004/07/29 15:35:45 scottl
>Description:
Improper malloc failure handling within cam_device_dup() can cause
NULL dereference.
BTW, free() can be called with NULL, so 'if(x) free(x)'
construct isn't necesarry.
>How-To-Repeat:
>Fix:
--- patch begins here ---
--- lib/libcam/camlib.c.ORIG Sun Aug 8 21:03:38 2004
+++ lib/libcam/camlib.c Tue Jul 12 23:01:41 2005
@@ -97,8 +97,7 @@
void
cam_freeccb(union ccb *ccb)
{
- if (ccb != NULL)
- free(ccb);
+ free(ccb);
}
/*
@@ -709,7 +708,6 @@
cam_close_spec_device(dev);
- if (dev != NULL)
- free(dev);
+ free(dev);
}
void
@@ -757,6 +755,11 @@
}
newdev = malloc(sizeof(struct cam_device));
+ if (newdev == NULL) {
+ snprintf(cam_errbuf, CAM_ERRBUF_SIZE,
+ "%s: couldn't malloc CAM device structure", func_name);
+ return(NULL);
+ }
bcopy(device, newdev, sizeof(struct cam_device));
--- patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507122118.j6CLInkQ017402>