diff options
| author | Robbie Harwood <rharwood@redhat.com> | 2021-07-28 14:23:32 -0400 |
|---|---|---|
| committer | Carlos O'Donell <carlos@redhat.com> | 2021-08-02 11:14:20 -0400 |
| commit | 60698263122b7c54ded3f70a466176e17a529480 (patch) | |
| tree | 8fa13c7d0b7bff86390915beb2ed4ab66fd1f89f | |
| parent | db737c79c694d0cb65dbc40696c8765b4299310c (diff) | |
| download | glibc-60698263122b7c54ded3f70a466176e17a529480.tar glibc-60698263122b7c54ded3f70a466176e17a529480.tar.gz glibc-60698263122b7c54ded3f70a466176e17a529480.tar.bz2 glibc-60698263122b7c54ded3f70a466176e17a529480.zip | |
nis: Fix leak on realloc failure in nis_getnames [BZ #28150]
If pos >= count but realloc fails, tmp will not have been placed in
getnames[pos] yet, and so will not be freed in free_null. Detected
by Coverity.
Also remove misleading comment from nis_getnames(), since it actually
did properly release getnames when out of memory.
Tested-by: Carlos O'Donell <carlos@redhat.com>
| -rw-r--r-- | nis/nis_subr.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/nis/nis_subr.c b/nis/nis_subr.c index dd0e30071d..6784fc353f 100644 --- a/nis/nis_subr.c +++ b/nis/nis_subr.c @@ -103,9 +103,6 @@ count_dots (const_nis_name str) return count; } -/* If we run out of memory, we don't give already allocated memory - free. The overhead for bringing getnames back in a safe state to - free it is to big. */ nis_name * nis_getnames (const_nis_name name) { @@ -271,7 +268,10 @@ nis_getnames (const_nis_name name) nis_name *newp = realloc (getnames, (count + 1) * sizeof (char *)); if (__glibc_unlikely (newp == NULL)) - goto free_null; + { + free (tmp); + goto free_null; + } getnames = newp; } getnames[pos] = tmp; |