Date: Wed, 13 Jul 2005 00:59:45 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/83359: [ PATCH ] improper handling of malloc failures within libdevstat code Message-ID: <200507122259.j6CMxjZL018194@kulesh.obluda.cz> Resent-Message-ID: <200507122300.j6CN0QDl099301@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83359
>Category: bin
>Synopsis: [ PATCH ] improper handling of malloc failures within libdevstat code
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 12 23:00:26 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libdevstat/devstat.c,v 1.26 2004/06/25 01:16:02 kan
>Description:
Improper handling of malloc failures within libdevstat code can
cause NULL deference.
>How-To-Repeat:
>Fix:
WARNS level within lib/libdevstat/Makefile can be raised to '3'
--- patch begins here ---
--- lib/libdevstat/devstat.c.ORIG Sun Aug 8 21:03:38 2004
+++ lib/libdevstat/devstat.c Wed Jul 13 00:51:25 2005
@@ -370,6 +370,12 @@
dssize = (dinfo->numdevs * sizeof(struct devstat)) +
sizeof(long);
dinfo->mem_ptr = (u_int8_t *)malloc(dssize);
+ if (dinfo->mem_ptr == NULL) {
+ snprintf(devstat_errbuf, sizeof(devstat_errbuf),
+ "%s: Cannot allocate memory for mem_ptr element",
+ func_name);
+ return(-1);
+ }
} else
dssize = (dinfo->numdevs * sizeof(struct devstat)) +
sizeof(long);
@@ -549,6 +555,7 @@
int old_num_selections = 0, old_num_selected;
int selection_number = 0;
int changed = 0, found = 0;
+ const char *func_name = "devstat_selectdevs";
if ((dev_select == NULL) || (devices == NULL) || (numdevs < 0))
return(-1);
@@ -572,7 +579,7 @@
* either enlarge or reduce the size of the device selection list.
*/
} else if (*num_selections != numdevs) {
- *dev_select = (struct device_selection *)realloc(*dev_select,
+ *dev_select = (struct device_selection *)reallocf(*dev_select,
numdevs * sizeof(struct device_selection));
*select_generation = current_generation;
init_selections = 1;
@@ -586,6 +593,13 @@
init_selections = 1;
}
+ if (*dev_select == NULL) {
+ snprintf(devstat_errbuf, sizeof(devstat_errbuf),
+ "%s: Cannot (re)allocate memory for dev_select argument",
+ func_name);
+ return(-1);
+ }
+
/*
* If we're in "only" mode, we want to clear out the selected
* variable since we're going to select exactly what the user wants
@@ -613,6 +627,12 @@
|| (perf_select != 0)) && (changed == 0)){
old_dev_select = (struct device_selection *)malloc(
*num_selections * sizeof(struct device_selection));
+ if (old_dev_select == NULL) {
+ snprintf(devstat_errbuf, sizeof(devstat_errbuf),
+ "%s: Cannot allocate memory for selection list backup",
+ func_name);
+ return(-1);
+ }
old_num_selections = *num_selections;
bcopy(*dev_select, old_dev_select,
sizeof(struct device_selection) * *num_selections);
@@ -1033,16 +1053,17 @@
return(-1);
}
- /*
- * Since you can't realloc a pointer that hasn't been malloced
- * first, we malloc first and then realloc.
- */
if (*num_matches == 0)
- *matches = (struct devstat_match *)malloc(
- sizeof(struct devstat_match));
- else
- *matches = (struct devstat_match *)realloc(*matches,
- sizeof(struct devstat_match) * (*num_matches + 1));
+ *matches = NULL;
+
+ *matches = (struct devstat_match *)reallocf(*matches,
+ sizeof(struct devstat_match) * (*num_matches + 1));
+
+ if (*matches == NULL) {
+ snprintf(devstat_errbuf, sizeof(devstat_errbuf),
+ "%s: Cannot allocate memory for matches list", func_name);
+ return(-1);
+ }
/* Make sure the current entry is clear */
bzero(&matches[0][*num_matches], sizeof(struct devstat_match));
--- patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507122259.j6CMxjZL018194>