[src/trunk]: src/usr.sbin/sysinst Fix invalid free(3) in sysinst(8)

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/usr.sbin/sysinst Fix invalid free(3) in sysinst(8)
From: kamil <kamil%NetBSD.org@localhost>
Date: Tue, 31 Jul 2018 22:17:16 +0000

details:   https://anonhg.NetBSD.org/src/rev/b39a089e4192
branches:  trunk
changeset: 362700:b39a089e4192
user:      kamil <kamil%NetBSD.org@localhost>
date:      Thu Jun 21 23:05:28 2018 +0000

description:
Fix invalid free(3) in sysinst(8)

The path variable is assigned with an allocation on the heap with
strdup(3). Later this pointer is changed with strsep(3) and this caused
invalid free(3).

Store the original pointer in a new helper variable opath and pass it to
free(3). With this change, the problem is going away.

Detected with MKSANITIZER=yes with AddressSanitizer.

diffstat:

 usr.sbin/sysinst/util.c |  12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

diffs (42 lines):

diff -r 6f1bfd86d97f -r b39a089e4192 usr.sbin/sysinst/util.c
--- a/usr.sbin/sysinst/util.c   Thu Jun 21 22:56:42 2018 +0000
+++ b/usr.sbin/sysinst/util.c   Thu Jun 21 23:05:28 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: util.c,v 1.8 2018/05/18 12:23:22 joerg Exp $   */
+/*     $NetBSD: util.c,v 1.9 2018/06/21 23:05:28 kamil Exp $   */
 
 /*
  * Copyright 1997 Piermont Information Systems Inc.
@@ -1681,14 +1681,16 @@
 int
 binary_available(const char *prog)
 {
-        char *p, tmp[MAXPATHLEN], *path = getenv("PATH");
+        char *p, tmp[MAXPATHLEN], *path = getenv("PATH"), *opath;
  
         if (path == NULL)
                 return access(prog, X_OK) == 0;
         path = strdup(path);
         if (path == NULL)
                 return 0;
- 
+
+       opath = path;
+
         while ((p = strsep(&path, ":")) != NULL) {
                 if (strlcpy(tmp, p, MAXPATHLEN) >= MAXPATHLEN)
                         continue;
@@ -1697,11 +1699,11 @@
                 if (strlcat(tmp, prog, MAXPATHLEN) >= MAXPATHLEN)
                         continue;
                 if (access(tmp, X_OK) == 0) {
-                        free(path);
+                        free(opath);
                         return 1;
                 }
         }
-        free(path);
+        free(opath);
         return 0;
 }

Prev by Date: [src/trunk]: src/sys/dev/ata split the port status reporting to new function ...
Next by Date: [src/trunk]: src/share/misc Add AFP, AMD, ASA, BSDP, DEC, IPL, MDMX, MIPS, PI...
Previous by Thread: [src/trunk]: src/sys/dev/ata split the port status reporting to new function ...
Next by Thread: [src/trunk]: src/share/misc Add AFP, AMD, ASA, BSDP, DEC, IPL, MDMX, MIPS, PI...
Indexes:

Home | Main Index | Thread Index | Old Index