diff options
author | sbruno <sbruno@FreeBSD.org> | 2016-04-19 16:48:14 +0000 |
---|---|---|
committer | sbruno <sbruno@FreeBSD.org> | 2016-04-19 16:48:14 +0000 |
commit | edd3a7f3f93b3eeeb0c74eba010647ff648ea3d3 (patch) | |
tree | d45c08b038482717c4d6f192dc7741408ec80cda /sys/cam | |
parent | 7b1f91ce8b8bf278ba2a9a696b6544024e212069 (diff) | |
download | FreeBSD-src-edd3a7f3f93b3eeeb0c74eba010647ff648ea3d3.zip FreeBSD-src-edd3a7f3f93b3eeeb0c74eba010647ff648ea3d3.tar.gz |
Plug memory leak in ctl(4) when ctl_copyin_args() is called with a non-
null terminated ASCII string.
PR: 207626
Submitted by: cturt@hardenedbsd.org
MFC after: 2 days
Diffstat (limited to 'sys/cam')
-rw-r--r-- | sys/cam/ctl/ctl.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c index 1101d02..bc94d43 100644 --- a/sys/cam/ctl/ctl.c +++ b/sys/cam/ctl/ctl.c @@ -2445,6 +2445,7 @@ ctl_copyin_args(int num_args, struct ctl_be_arg *uargs, && (tmpptr[args[i].vallen - 1] != '\0')) { snprintf(error_str, error_str_len, "Argument " "%d value is not NUL-terminated", i); + free(tmpptr, M_CTL); goto bailout; } args[i].kvalue = tmpptr; |