Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Nov 2010 21:54:46 +0000 (UTC)
From:      Bruce Cran <brucec@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject:   svn commit: r215805 - stable/8/usr.sbin/sysinstall
Message-ID:  <201011242154.oAOLskfe084115@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: brucec
Date: Wed Nov 24 21:54:45 2010
New Revision: 215805
URL: http://svn.freebsd.org/changeset/base/215805

Log:
  MFC r215637:
  
  dispatch_add_command:
  Modify the logic so there's only one exit point instead of two.
  Only insert valid (non-NULL) values into the queue.
  
  dispatch_free_command:
  Ensure that item is not NULL before removing it from the queue and
  dereferencing the pointer.
  NULL out free'd pointers to catch any use-after-free bugs.
  
  PR:	bin/146855
  Submitted by:	gcooper

Modified:
  stable/8/usr.sbin/sysinstall/dispatch.c
Directory Properties:
  stable/8/usr.sbin/sysinstall/   (props changed)

Modified: stable/8/usr.sbin/sysinstall/dispatch.c
==============================================================================
--- stable/8/usr.sbin/sysinstall/dispatch.c	Wed Nov 24 21:43:36 2010	(r215804)
+++ stable/8/usr.sbin/sysinstall/dispatch.c	Wed Nov 24 21:54:45 2010	(r215805)
@@ -136,8 +136,12 @@ typedef struct command_buffer_ {
 static void
 dispatch_free_command(command_buffer *item)
 {
-    REMQUE(item);
-    free(item->string);
+    if (item != NULL) {
+	REMQUE(item);
+	free(item->string);
+	item->string = NULL;
+    }
+
     free(item);
 }
 
@@ -155,19 +159,29 @@ dispatch_free_all(qelement *head)
 static command_buffer *
 dispatch_add_command(qelement *head, char *string)
 {
-    command_buffer *new;
+    command_buffer *new = NULL;
 
     new = malloc(sizeof(command_buffer));
 
-    if (!new)
-	return NULL;
+    if (new != NULL) {
 
-    new->string = strdup(string);
-    INSQUEUE(new, head->q_back);
+	new->string = strdup(string);
+
+	/*
+	 * We failed to copy `string'; clean up the allocated
+	 * resources.
+	 */
+	if (new->string == NULL) {
+	    free(new);
+	    new = NULL;
+	} else {
+	    INSQUEUE(new, head->q_back);
+	}
+    }
 
     return new;
 }
-
+
 /*
  * Command processing
  */
@@ -280,7 +294,7 @@ dispatchCommand(char *str)
     return i;
 }
 
-
+
 /*
  * File processing
  */



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201011242154.oAOLskfe084115>