From 9d8f0aff10620f8d6f8d0278f18e5665aa2a8df3 Mon Sep 17 00:00:00 2001
From: delphij <delphij@FreeBSD.org>
Date: Thu, 14 May 2009 23:09:33 +0000
Subject: As the comment says, close() frees the variable, record.  So we
 obtain the length by evaluating the value from the copy, cbuf instead.  This
 fixes a crash caused by previous commit (use-after-free)

Submitted by:	Dimitry Andric <dimitry andric com>
Pointy hat to:	delphij
---
 lib/libc/gen/getcap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/libc/gen/getcap.c')

diff --git a/lib/libc/gen/getcap.c b/lib/libc/gen/getcap.c
index d0e4a7b..32d66d48 100644
--- a/lib/libc/gen/getcap.c
+++ b/lib/libc/gen/getcap.c
@@ -260,7 +260,7 @@ getent(char **cap, u_int *len, char **db_array, int fd, const char *name,
 					errno = ENOMEM;
 					return (-2);
 				}
-				*len = strlen(record);
+				*len = strlen(cbuf);
 				*cap = cbuf;
 				return (retval);
 			} else {
-- 
cgit v1.1