diff options
| author | truckman <truckman@FreeBSD.org> | 2016-05-25 01:37:25 +0000 |
|---|---|---|
| committer | truckman <truckman@FreeBSD.org> | 2016-05-25 01:37:25 +0000 |
| commit | 610c8f37edec3884d4c6ff72b64b78bac7a3166a (patch) | |
| tree | cc9641ca5b1d9b509db3bdf8a6ce36a87b2a09ac /usr.sbin | |
| parent | e825b90448b365da566c7370cec6f3e13bd88697 (diff) | |
| download | FreeBSD-src-610c8f37edec3884d4c6ff72b64b78bac7a3166a.zip FreeBSD-src-610c8f37edec3884d4c6ff72b64b78bac7a3166a.tar.gz | |
Fix Coverity CIDs 1340544 Resource leak and 1340543 Use after free
At line 479 of ldapclient.c in client_build_req(), the error return
leaks ldap_attrs (CID 1340544). It looks like this can happen if
the first utoa() call in aldap_get_stringset() fails. It looks
like other leaks can happen if other utoa() calls fail since scanning
this array when it is freed stops when the first NULL is encountered.
Fix these problems by not storing NULL in the array when utoa()
fails, and by freeing ret and returning NULL if nothing is stored
in the array. That way the caller will never see the
ldap_attrs[0] == NULL case, so delete that check.
The ber_printf_element() calls ber_free_elements() on its ber
argument and returns NULL on failure. When each of its callers
detects failure, they do a goto fail, which then calls ber_free_elements()
with the same pointer (CID 1340543). Fix is to delete the
ber_free_elements() from ber_printf_element()
Reported by: Coverity
CID: 1340543, 1340544
Reviewed by: araujo
Differential Revision: https://reviews.freebsd.org/D6550
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/ypldap/aldap.c | 11 | ||||
| -rw-r--r-- | usr.sbin/ypldap/ber.c | 1 | ||||
| -rw-r--r-- | usr.sbin/ypldap/ldapclient.c | 2 |
3 files changed, 9 insertions, 5 deletions
diff --git a/usr.sbin/ypldap/aldap.c b/usr.sbin/ypldap/aldap.c index d07fe7f..ed4fb37 100644 --- a/usr.sbin/ypldap/aldap.c +++ b/usr.sbin/ypldap/aldap.c @@ -716,12 +716,19 @@ aldap_get_stringset(struct ber_element *elm) return NULL; for (a = elm, i = 0; a != NULL && a->be_type == BER_TYPE_OCTETSTRING; - a = a->be_next, i++) { + a = a->be_next) { ber_get_string(a, &s); ret[i] = utoa(s); + if (ret[i] != NULL) + i++; + } - ret[i + 1] = NULL; + if (i == 0) { + free(ret); + return NULL; + } + ret[i] = NULL; return ret; } diff --git a/usr.sbin/ypldap/ber.c b/usr.sbin/ypldap/ber.c index d388233..f28cdfd 100644 --- a/usr.sbin/ypldap/ber.c +++ b/usr.sbin/ypldap/ber.c @@ -621,7 +621,6 @@ ber_printf_elements(struct ber_element *ber, char *fmt, ...) return (ber); fail: - ber_free_elements(ber); return (NULL); } diff --git a/usr.sbin/ypldap/ldapclient.c b/usr.sbin/ypldap/ldapclient.c index 9231c46..df6e9b9 100644 --- a/usr.sbin/ypldap/ldapclient.c +++ b/usr.sbin/ypldap/ldapclient.c @@ -475,8 +475,6 @@ client_build_req(struct idm *idm, struct idm_req *ir, struct aldap_message *m, } else { if (aldap_match_attr(m, idm->idm_attrs[i], &ldap_attrs) == -1) return (-1); - if (ldap_attrs[0] == NULL) - return (-1); if (strlcat(ir->ir_line, ldap_attrs[0], sizeof(ir->ir_line)) >= sizeof(ir->ir_line)) { aldap_free_attr(ldap_attrs); |
