diff options
| author | delphij <delphij@FreeBSD.org> | 2009-05-14 23:09:33 +0000 |
|---|---|---|
| committer | delphij <delphij@FreeBSD.org> | 2009-05-14 23:09:33 +0000 |
| commit | 9d8f0aff10620f8d6f8d0278f18e5665aa2a8df3 (patch) | |
| tree | 601ad1c215db37453905f6f5afa29a3a353fe761 /lib/libc/gen/getcap.c | |
| parent | 8a00f0cfdff59e0c1247a683100e17474afd0286 (diff) | |
| download | FreeBSD-src-9d8f0aff10620f8d6f8d0278f18e5665aa2a8df3.zip FreeBSD-src-9d8f0aff10620f8d6f8d0278f18e5665aa2a8df3.tar.gz | |
As the comment says, close() frees the variable, record. So we obtain
the length by evaluating the value from the copy, cbuf instead. This
fixes a crash caused by previous commit (use-after-free)
Submitted by: Dimitry Andric <dimitry andric com>
Pointy hat to: delphij
Diffstat (limited to 'lib/libc/gen/getcap.c')
| -rw-r--r-- | lib/libc/gen/getcap.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/libc/gen/getcap.c b/lib/libc/gen/getcap.c index d0e4a7b..32d66d48 100644 --- a/lib/libc/gen/getcap.c +++ b/lib/libc/gen/getcap.c @@ -260,7 +260,7 @@ getent(char **cap, u_int *len, char **db_array, int fd, const char *name, errno = ENOMEM; return (-2); } - *len = strlen(record); + *len = strlen(cbuf); *cap = cbuf; return (retval); } else { |
