From dan@kulesh.obluda.cz  Tue Jul 12 20:45:51 2005
Return-Path: <dan@kulesh.obluda.cz>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E924416A41C
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 12 Jul 2005 20:45:50 +0000 (GMT)
	(envelope-from dan@kulesh.obluda.cz)
Received: from kulesh.obluda.cz (kulesh.obluda.cz [193.179.22.243])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9C3F543D46
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 12 Jul 2005 20:45:49 +0000 (GMT)
	(envelope-from dan@kulesh.obluda.cz)
Received: from kulesh.obluda.cz (localhost.eunet.cz [127.0.0.1])
	by kulesh.obluda.cz (8.13.3/8.13.3) with ESMTP id j6CKjR7a017185
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 12 Jul 2005 22:45:27 +0200 (CEST)
	(envelope-from dan@kulesh.obluda.cz)
Received: (from root@localhost)
	by kulesh.obluda.cz (8.13.3/8.13.1/Submit) id j6CKjQ9d017184;
	Tue, 12 Jul 2005 22:45:26 +0200 (CEST)
	(envelope-from dan)
Message-Id: <200507122045.j6CKjQ9d017184@kulesh.obluda.cz>
Date: Tue, 12 Jul 2005 22:45:26 +0200 (CEST)
From: Dan Lukes <dan@obluda.cz>
Reply-To: Dan Lukes <dan@obluda.cz>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [ PATCH ] improper handling o malloc's failures within libc/yp/yplib.c routines
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         83349
>Category:       bin
>Synopsis:       [patch] improper handling o malloc's failures within libc/yp/yplib.c routines
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 12 20:50:16 GMT 2005
>Closed-Date:    Thu Dec 22 20:14:25 CST 2011
>Last-Modified:  Fri Dec 23 02:20:09 UTC 2011
>Originator:     Dan Lukes
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libc/yp/yplib.c,v 1.45.6.1 2005/05/13 17:06:52 ume

>Description:
	Improper handling of malloc failures can cause NULL dereference and
memory leaking within yp_* routines.

>How-To-Repeat:
>Fix:

--- patch begins here ---
--- lib/libc/yp/yplib.c.ORIG	Mon May 16 00:06:44 2005
+++ lib/libc/yp/yplib.c	Tue Jul 12 22:36:33 2005
@@ -331,6 +331,8 @@
 
 	if (ysd == NULL) {
 		ysd = (struct dom_binding *)malloc(sizeof *ysd);
+		if (ysd == NULL)
+			return(YPERR_RESRC);
 		bzero((char *)ysd, sizeof *ysd);
 		ysd->dom_socket = -1;
 		ysd->dom_vers = 0;
@@ -675,11 +677,18 @@
 */
 		*outvallen = yprv.val.valdat_len;
 		*outval = (char *)malloc(*outvallen+1);
+		if (*outval == NULL) {
+			_yp_unbind(ysd);
+			*outvallen = 0;
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprv.val.valdat_val, *outval, *outvallen);
 		(*outval)[*outvallen] = '\0';
 		YPUNLOCK();
 		return (0);
 	}
+	_yp_unbind(ysd);
 #endif
 
 again:
@@ -705,6 +714,13 @@
 	if (!(r = ypprot_err(yprv.stat))) {
 		*outvallen = yprv.val.valdat_len;
 		*outval = (char *)malloc(*outvallen+1);
+		if (*outval == NULL) {
+			_yp_unbind(ysd);
+			*outvallen = 0;
+			xdr_free((xdrproc_t)xdr_ypresp_val, &yprv);
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprv.val.valdat_val, *outval, *outvallen);
 		(*outval)[*outvallen] = '\0';
 #ifdef YPMATCHCACHE
@@ -783,10 +799,25 @@
 	if (!(r = ypprot_err(yprkv.stat))) {
 		*outkeylen = yprkv.key.keydat_len;
 		*outkey = (char *)malloc(*outkeylen+1);
+		if (*outkey == NULL) {
+			_yp_unbind(ysd);
+			*outkeylen = 0;
+			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprkv.key.keydat_val, *outkey, *outkeylen);
 		(*outkey)[*outkeylen] = '\0';
 		*outvallen = yprkv.val.valdat_len;
 		*outval = (char *)malloc(*outvallen+1);
+		if (*outval == NULL) {
+			free(*outkey);
+			_yp_unbind(ysd);
+			*outkeylen = *outvallen = 0;
+			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprkv.val.valdat_val, *outval, *outvallen);
 		(*outval)[*outvallen] = '\0';
 	}
@@ -843,10 +874,25 @@
 	if (!(r = ypprot_err(yprkv.stat))) {
 		*outkeylen = yprkv.key.keydat_len;
 		*outkey = (char *)malloc(*outkeylen+1);
+		if (*outkey == NULL) {
+			_yp_unbind(ysd);
+			*outkeylen = 0;
+			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprkv.key.keydat_val, *outkey, *outkeylen);
 		(*outkey)[*outkeylen] = '\0';
 		*outvallen = yprkv.val.valdat_len;
 		*outval = (char *)malloc(*outvallen+1);
+		if (*outval == NULL) {
+			free(*outkey);
+			_yp_unbind(ysd);
+			*outkeylen = *outvallen = 0;
+			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
+			YPUNLOCK();
+			return(YPERR_RESRC);
+		}
 		bcopy(yprkv.val.valdat_val, *outval, *outvallen);
 		(*outval)[*outvallen] = '\0';
 	}
--- patch ends here ---
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ghelmer 
State-Changed-When: Thu Dec 22 20:14:01 CST 2011 
State-Changed-Why:  
Patch applied, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=83349 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/83349: commit references a PR
Date: Fri, 23 Dec 2011 02:13:54 +0000 (UTC)

 Author: ghelmer
 Date: Fri Dec 23 02:13:42 2011
 New Revision: 228828
 URL: http://svn.freebsd.org/changeset/base/228828
 
 Log:
   Handle malloc failures in yplib.c.
   
   PR:		bin/83349
 
 Modified:
   head/lib/libc/yp/yplib.c
 
 Modified: head/lib/libc/yp/yplib.c
 ==============================================================================
 --- head/lib/libc/yp/yplib.c	Fri Dec 23 02:04:35 2011	(r228827)
 +++ head/lib/libc/yp/yplib.c	Fri Dec 23 02:13:42 2011	(r228828)
 @@ -331,6 +331,8 @@ _yp_dobind(char *dom, struct dom_binding
  
  	if (ysd == NULL) {
  		ysd = (struct dom_binding *)malloc(sizeof *ysd);
 +		if (ysd == NULL)
 +			return (YPERR_RESRC);
  		bzero((char *)ysd, sizeof *ysd);
  		ysd->dom_socket = -1;
  		ysd->dom_vers = 0;
 @@ -683,11 +685,18 @@ yp_match(char *indomain, char *inmap, co
  */
  		*outvallen = yprv.val.valdat_len;
  		*outval = (char *)malloc(*outvallen+1);
 +		if (*outval == NULL) {
 +			_yp_unbind(ysd);
 +			*outvallen = 0;
 +			YPUNLOCK();
 +			return (YPERR_RESRC);
 +		}
  		bcopy(yprv.val.valdat_val, *outval, *outvallen);
  		(*outval)[*outvallen] = '\0';
  		YPUNLOCK();
  		return (0);
  	}
 +	_yp_unbind(ysd);
  #endif
  
  again:
 @@ -713,6 +722,13 @@ again:
  	if (!(r = ypprot_err(yprv.stat))) {
  		*outvallen = yprv.val.valdat_len;
  		*outval = (char *)malloc(*outvallen+1);
 +		if (*outval == NULL) {
 +			_yp_unbind(ysd);
 +			*outvallen = 0;
 +			xdr_free((xdrproc_t)xdr_ypresp_val, &yprv);
 +			YPUNLOCK();
 +			return (YPERR_RESRC);
 +		}
  		bcopy(yprv.val.valdat_val, *outval, *outvallen);
  		(*outval)[*outvallen] = '\0';
  #ifdef YPMATCHCACHE
 @@ -791,10 +807,25 @@ again:
  	if (!(r = ypprot_err(yprkv.stat))) {
  		*outkeylen = yprkv.key.keydat_len;
  		*outkey = (char *)malloc(*outkeylen+1);
 +		if (*outkey == NULL) {
 +			_yp_unbind(ysd);
 +			*outkeylen = 0;
 +			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
 +			YPUNLOCK();
 +			return (YPERR_RESRC);
 +		}
  		bcopy(yprkv.key.keydat_val, *outkey, *outkeylen);
  		(*outkey)[*outkeylen] = '\0';
  		*outvallen = yprkv.val.valdat_len;
  		*outval = (char *)malloc(*outvallen+1);
 +		if (*outval == NULL) {
 +			free(*outkey);
 +			_yp_unbind(ysd);
 +			*outkeylen = *outvallen = 0;
 +			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
 +			YPUNLOCK();
 +			return (YPERR_RESRC);
 +		}
  		bcopy(yprkv.val.valdat_val, *outval, *outvallen);
  		(*outval)[*outvallen] = '\0';
  	}
 @@ -851,10 +882,25 @@ again:
  	if (!(r = ypprot_err(yprkv.stat))) {
  		*outkeylen = yprkv.key.keydat_len;
  		*outkey = (char *)malloc(*outkeylen+1);
 +		if (*outkey == NULL) {
 +			_yp_unbind(ysd);
 +			*outkeylen = 0;
 +			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
 +			YPUNLOCK();
 +			return (YPERR_RESRC);
 +		}
  		bcopy(yprkv.key.keydat_val, *outkey, *outkeylen);
  		(*outkey)[*outkeylen] = '\0';
  		*outvallen = yprkv.val.valdat_len;
  		*outval = (char *)malloc(*outvallen+1);
 +		if (*outval == NULL) {
 +			free(*outkey);
 +			_yp_unbind(ysd);
 +			*outkeylen = *outvallen = 0;
 +			xdr_free((xdrproc_t)xdr_ypresp_key_val, &yprkv);
 +			YPUNLOCK();
 +			return (YPERR_RESRC);
 +		}
  		bcopy(yprkv.val.valdat_val, *outval, *outvallen);
  		(*outval)[*outvallen] = '\0';
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
