netbsd-bugs: lib/3655: various yp_*() functions may not initialise returned data

Subject: lib/3655: various yp_*() functions may not initialise returned data
To: None <gnats-bugs@gnats.netbsd.org>
From: Luke Mewburn <lukem@connect.com.au>
List: netbsd-bugs
Date: 05/20/1997 17:53:11

>Number:         3655
>Category:       lib
>Synopsis:       various yp_*() functions may not initialise returned data
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people (Library Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   lm
>Arrival-Date:   Tue May 20 01:05:00 1997
>Last-Modified:
>Originator:     Luke Mewburn
>Organization:
TNF
>Release:        1.2E
>Environment:
System: NetBSD karybdis 1.2E NetBSD 1.2E (LUKEM) #1: Thu May 15 13:30:36 EST 1997 lukem@karybdis:/z/src/NetBSD-current/src/sys/arch/i386/compile/LUKEM i386

>Description:
	(I discovered this by code examination whilst debugging [lib/3580])

	To quote from the man pages for yp_first() et al:
	``	Any output values of type char ** should be the addresses
		of uninitialized character pointers.  Memory will be
		allocated by the YP client routines using malloc().  This
		memory can later be freed by the user if there is no
		additional need for the data stored there.	''

	One could infer from this that if you pass an uninitialised
	value for outdata, and even if an error occurs, outdata will
	either point to an area of memory returned from malloc(),
	or NULL.

	However, from examining the code for yp_first(), yp_next(),
	yp_master() and yp_match() (functions which have return values
	of the form "char **outXXX"), there are conditions where these
	won't be reset before the function returns.

>How-To-Repeat:
	Something like (when indom or inmap isn't valid :
		int retval, datalen;
		char *data;	/* currently points to random memory */

		retval = yp_first(indom, inmap, ... , &data, &datalen);
		if (retval != 0) {
			if (outdata)
				free(outdata);
		}

>Fix:
	Change yp_first(), yp_next(), yp_master() and yp_match()
	to ensure that all outXXX parameters (outkey, outval,
	and outname):
		* don't point to NULL (return YPERR_BADARGS if so)
		  This should be done before any other code can return
		  from that function.
		* set *outXXX=NULL *before* testing if inXXX is valid

	These changes would mean that any 'char **outXXX' value
	will be at least NULL before return from a YP function.

	I'm willing to hack the code to do this; this PR is just a
	placeholder and to ensure that I'm on the correct track
>Audit-Trail:
>Unformatted: