diff options
| author | Jeremy Kerr <jk@ozlabs.org> | 2014-03-12 14:22:47 +0800 |
|---|---|---|
| committer | Jeremy Kerr <jk@ozlabs.org> | 2014-04-08 16:00:38 +0800 |
| commit | 28926a0e2f144b09ac9e0a4d019c7f649fd9d5c1 (patch) | |
| tree | 7d0371606513ec81b972870e86946da93de32db2 /ui | |
| parent | bc72527a1426c2159112707d3a6c9bb544fd6647 (diff) | |
| download | petitboot-28926a0e2f144b09ac9e0a4d019c7f649fd9d5c1.zip petitboot-28926a0e2f144b09ac9e0a4d019c7f649fd9d5c1.tar.gz | |
ui/ncurses: Don't free item in pmenu_item_setup
Currently pmenu_item_setup may free its item parameter on error.
This makes it non-obvious whether the item is still allocated on exit to
the caller.
Instead, this change removes the talloc_free, and requires that the
caller do this on error. This makes the potential use-after-free in
cui_boot_editor_on_exit obvious, so we fix that too.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Diffstat (limited to 'ui')
| -rw-r--r-- | ui/ncurses/nc-cui.c | 10 | ||||
| -rw-r--r-- | ui/ncurses/nc-menu.c | 4 | ||||
| -rw-r--r-- | ui/ncurses/nc-menu.h | 9 |
3 files changed, 16 insertions, 7 deletions
diff --git a/ui/ncurses/nc-cui.c b/ui/ncurses/nc-cui.c index 88bdd0f..fce1752 100644 --- a/ui/ncurses/nc-cui.c +++ b/ui/ncurses/nc-cui.c @@ -185,8 +185,11 @@ static void cui_boot_editor_on_exit(struct cui *cui, item->data = cod = talloc_zero(item, struct cui_opt_data); cod->name = talloc_asprintf(cod, "User item %u:", insert_pt); - pmenu_item_setup(menu, item, insert_pt, - talloc_strdup(item, cod->name)); + if (pmenu_item_setup(menu, item, insert_pt, + talloc_strdup(item, cod->name)) == NULL) { + talloc_free(item); + item = NULL; + } /* Re-attach the items array. */ set_menu_items(menu->ncm, menu->items); @@ -197,7 +200,8 @@ static void cui_boot_editor_on_exit(struct cui *cui, cod->bd = talloc_steal(cod, bd); - set_current_item(item->pmenu->ncm, item->nci); + if (item) + set_current_item(item->pmenu->ncm, item->nci); cui_set_current(cui, &cui->main->scr); talloc_free(cui->boot_editor); cui->boot_editor = NULL; diff --git a/ui/ncurses/nc-menu.c b/ui/ncurses/nc-menu.c index cd7c54e..654c389 100644 --- a/ui/ncurses/nc-menu.c +++ b/ui/ncurses/nc-menu.c @@ -106,10 +106,8 @@ struct pmenu_item *pmenu_item_setup(struct pmenu *menu, struct pmenu_item *i, i->pmenu = menu; i->nci = new_item(name, NULL); - if (!i->nci) { - talloc_free(i); + if (!i->nci) return NULL; - } set_item_userptr(i->nci, i); diff --git a/ui/ncurses/nc-menu.h b/ui/ncurses/nc-menu.h index f5e947d..4c3a43f 100644 --- a/ui/ncurses/nc-menu.h +++ b/ui/ncurses/nc-menu.h @@ -75,7 +75,14 @@ static inline struct cui_opt_data *cod_from_item(struct pmenu_item *item) static inline struct pmenu_item *pmenu_item_init(struct pmenu *menu, unsigned int index, const char *name) { - return pmenu_item_setup(menu, pmenu_item_alloc(menu), index, name); + struct pmenu_item *item = pmenu_item_alloc(menu); + + if (pmenu_item_setup(menu, item, index, name)) { + talloc_free(item); + item = NULL; + } + + return item; } /** |
