Date: Wed, 13 Jul 2005 00:59:45 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/83359: [ PATCH ] improper handling of malloc failures within libdevstat code Message-ID: <200507122259.j6CMxjZL018194@kulesh.obluda.cz> Resent-Message-ID: <200507122300.j6CN0QDl099301@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83359 >Category: bin >Synopsis: [ PATCH ] improper handling of malloc failures within libdevstat code >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 12 23:00:26 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Dan Lukes >Release: FreeBSD 5.4-STABLE i386 >Organization: Obludarium >Environment: System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386 lib/libdevstat/devstat.c,v 1.26 2004/06/25 01:16:02 kan >Description: Improper handling of malloc failures within libdevstat code can cause NULL deference. >How-To-Repeat: >Fix: WARNS level within lib/libdevstat/Makefile can be raised to '3' --- patch begins here --- --- lib/libdevstat/devstat.c.ORIG Sun Aug 8 21:03:38 2004 +++ lib/libdevstat/devstat.c Wed Jul 13 00:51:25 2005 @@ -370,6 +370,12 @@ dssize = (dinfo->numdevs * sizeof(struct devstat)) + sizeof(long); dinfo->mem_ptr = (u_int8_t *)malloc(dssize); + if (dinfo->mem_ptr == NULL) { + snprintf(devstat_errbuf, sizeof(devstat_errbuf), + "%s: Cannot allocate memory for mem_ptr element", + func_name); + return(-1); + } } else dssize = (dinfo->numdevs * sizeof(struct devstat)) + sizeof(long); @@ -549,6 +555,7 @@ int old_num_selections = 0, old_num_selected; int selection_number = 0; int changed = 0, found = 0; + const char *func_name = "devstat_selectdevs"; if ((dev_select == NULL) || (devices == NULL) || (numdevs < 0)) return(-1); @@ -572,7 +579,7 @@ * either enlarge or reduce the size of the device selection list. */ } else if (*num_selections != numdevs) { - *dev_select = (struct device_selection *)realloc(*dev_select, + *dev_select = (struct device_selection *)reallocf(*dev_select, numdevs * sizeof(struct device_selection)); *select_generation = current_generation; init_selections = 1; @@ -586,6 +593,13 @@ init_selections = 1; } + if (*dev_select == NULL) { + snprintf(devstat_errbuf, sizeof(devstat_errbuf), + "%s: Cannot (re)allocate memory for dev_select argument", + func_name); + return(-1); + } + /* * If we're in "only" mode, we want to clear out the selected * variable since we're going to select exactly what the user wants @@ -613,6 +627,12 @@ || (perf_select != 0)) && (changed == 0)){ old_dev_select = (struct device_selection *)malloc( *num_selections * sizeof(struct device_selection)); + if (old_dev_select == NULL) { + snprintf(devstat_errbuf, sizeof(devstat_errbuf), + "%s: Cannot allocate memory for selection list backup", + func_name); + return(-1); + } old_num_selections = *num_selections; bcopy(*dev_select, old_dev_select, sizeof(struct device_selection) * *num_selections); @@ -1033,16 +1053,17 @@ return(-1); } - /* - * Since you can't realloc a pointer that hasn't been malloced - * first, we malloc first and then realloc. - */ if (*num_matches == 0) - *matches = (struct devstat_match *)malloc( - sizeof(struct devstat_match)); - else - *matches = (struct devstat_match *)realloc(*matches, - sizeof(struct devstat_match) * (*num_matches + 1)); + *matches = NULL; + + *matches = (struct devstat_match *)reallocf(*matches, + sizeof(struct devstat_match) * (*num_matches + 1)); + + if (*matches == NULL) { + snprintf(devstat_errbuf, sizeof(devstat_errbuf), + "%s: Cannot allocate memory for matches list", func_name); + return(-1); + } /* Make sure the current entry is clear */ bzero(&matches[0][*num_matches], sizeof(struct devstat_match)); --- patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507122259.j6CMxjZL018194>