- Don't try to free mboot.bootinst before it has been allocated. If, for

  some reason, mboot.bootinst is not initialized to NULL at the beginning
  of the program, then the last commit to this would try to free whatever
  bogus address is in it.
- Restore the behavior of free()'ing the mboot.bootinst buffer after we
  abuse it to determine the sector size of the disk (as clearly noted in
  the comments).  Properly fix the double free() bug by setting the pointer
  to NULL after we free it.

2 files changed, 4 insertions, 4 deletions

diff --git a/sbin/fdisk/fdisk.c b/sbin/fdisk/fdisk.c
index acbd6ae..723db8d 100644
--- a/sbin/fdisk/fdisk.c
+++ b/sbin/fdisk/fdisk.c
@@ -299,11 +299,11 @@ main(int argc, char *argv[])
 	}
 
 	/* (abu)use mboot.bootinst to probe for the sector size */
-	if (mboot.bootinst != NULL)
-		free(mboot.bootinst);
 	if ((mboot.bootinst = malloc(MAX_SEC_SIZE)) == NULL)
 		err(1, "cannot allocate buffer to determine disk sector size");
 	read_disk(0, mboot.bootinst);
+	free(mboot.bootinst);
+	mboot.bootinst = NULL;
 
 	if (s_flag)
 	{
diff --git a/sbin/i386/fdisk/fdisk.c b/sbin/i386/fdisk/fdisk.c
index acbd6ae..723db8d 100644
--- a/sbin/i386/fdisk/fdisk.c
+++ b/sbin/i386/fdisk/fdisk.c
@@ -299,11 +299,11 @@ main(int argc, char *argv[])
 	}
 
 	/* (abu)use mboot.bootinst to probe for the sector size */
-	if (mboot.bootinst != NULL)
-		free(mboot.bootinst);
 	if ((mboot.bootinst = malloc(MAX_SEC_SIZE)) == NULL)
 		err(1, "cannot allocate buffer to determine disk sector size");
 	read_disk(0, mboot.bootinst);
+	free(mboot.bootinst);
+	mboot.bootinst = NULL;
 
 	if (s_flag)
 	{