Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/usr.sbin/sysinst Fix invalid free(3) in sysinst(8)



details:   https://anonhg.NetBSD.org/src/rev/519116c47618
branches:  trunk
changeset: 320067:519116c47618
user:      kamil <kamil%NetBSD.org@localhost>
date:      Thu Jun 21 23:05:28 2018 +0000

description:
Fix invalid free(3) in sysinst(8)

The path variable is assigned with an allocation on the heap with
strdup(3). Later this pointer is changed with strsep(3) and this caused
invalid free(3).

Store the original pointer in a new helper variable opath and pass it to
free(3). With this change, the problem is going away.

Detected with MKSANITIZER=yes with AddressSanitizer.

diffstat:

 usr.sbin/sysinst/util.c |  12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

diffs (42 lines):

diff -r 7ef663a3b730 -r 519116c47618 usr.sbin/sysinst/util.c
--- a/usr.sbin/sysinst/util.c   Thu Jun 21 22:56:42 2018 +0000
+++ b/usr.sbin/sysinst/util.c   Thu Jun 21 23:05:28 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: util.c,v 1.8 2018/05/18 12:23:22 joerg Exp $   */
+/*     $NetBSD: util.c,v 1.9 2018/06/21 23:05:28 kamil Exp $   */
 
 /*
  * Copyright 1997 Piermont Information Systems Inc.
@@ -1681,14 +1681,16 @@
 int
 binary_available(const char *prog)
 {
-        char *p, tmp[MAXPATHLEN], *path = getenv("PATH");
+        char *p, tmp[MAXPATHLEN], *path = getenv("PATH"), *opath;
  
         if (path == NULL)
                 return access(prog, X_OK) == 0;
         path = strdup(path);
         if (path == NULL)
                 return 0;
- 
+
+       opath = path;
+
         while ((p = strsep(&path, ":")) != NULL) {
                 if (strlcpy(tmp, p, MAXPATHLEN) >= MAXPATHLEN)
                         continue;
@@ -1697,11 +1699,11 @@
                 if (strlcat(tmp, prog, MAXPATHLEN) >= MAXPATHLEN)
                         continue;
                 if (access(tmp, X_OK) == 0) {
-                        free(path);
+                        free(opath);
                         return 1;
                 }
         }
-        free(path);
+        free(opath);
         return 0;
 }
 



Home | Main Index | Thread Index | Old Index