[src/trunk]: src/sys/lib/libsa Fix a use-after-free (well, dealloc actually) ...

[jakllsch <jakllsch%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/270616416ef8
branches:  trunk
changeset: 791648:270616416ef8
user:      jakllsch <jakllsch%NetBSD.org@localhost>
date:      Wed Nov 27 17:33:03 2013 +0000

description:
Fix a use-after-free (well, dealloc actually) issue.

diffstat:

 sys/lib/libsa/loadfile_elf32.c |  6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diffs (34 lines):

diff -r 29a22e73ac9c -r 270616416ef8 sys/lib/libsa/loadfile_elf32.c
--- a/sys/lib/libsa/loadfile_elf32.c    Wed Nov 27 17:28:39 2013 +0000
+++ b/sys/lib/libsa/loadfile_elf32.c    Wed Nov 27 17:33:03 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: loadfile_elf32.c,v 1.29 2011/02/17 21:15:31 christos Exp $ */
+/* $NetBSD: loadfile_elf32.c,v 1.30 2013/11/27 17:33:03 jakllsch Exp $ */
 
 /*-
  * Copyright (c) 1997, 2008 The NetBSD Foundation, Inc.
@@ -273,6 +273,7 @@
                uint8_t         desc[ELF_NOTE_NETBSD_DESCSZ];
        } note;
        char *shstr = NULL;
+       size_t shstrsz = 0;
        int boot_load_ctf = 1;
 
        /* some ports dont use the offset */
@@ -432,6 +433,7 @@
                                }
 
                                shstr = ALLOC(shp[elf->e_shstrndx].sh_size);
+                               shstrsz = shp[elf->e_shstrndx].sh_size;
                                if (lseek(fd, shp[elf->e_shstrndx].sh_offset,
                                    SEEK_SET) == -1) {
                                        WARN(("lseek symbols"));
@@ -556,7 +558,7 @@
        }
        
        if (shstr) {
-           DEALLOC(shstr, shp[elf->e_shstrndx].sh_size);
+           DEALLOC(shstr, shstrsz);
        }
 
        /*