From 3fd07942530237a038ba0d12738fa19e1a92dbea Mon Sep 17 00:00:00 2001 From: ngie Date: Wed, 8 Jun 2016 18:47:00 +0000 Subject: [PATCH] MFstable/10 r301687: MFC r300624: Fix up r300385 I accidentally glossed over the fact that tmp is manipulated via strchr, so if we tried to free `tmp` after r300385, it would have crashed. Create a separate pointer (tmp2) to track the original allocation of `tmp`, and free `tmp2` if `p->nc_lookups` can't be malloced CID: 1356026 git-svn-id: svn://svn.freebsd.org/base/stable/9@301688 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- lib/libc/rpc/getnetconfig.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/libc/rpc/getnetconfig.c b/lib/libc/rpc/getnetconfig.c index 255e3bd58..9220b1c59 100644 --- a/lib/libc/rpc/getnetconfig.c +++ b/lib/libc/rpc/getnetconfig.c @@ -697,7 +697,7 @@ dup_ncp(ncp) struct netconfig *ncp; { struct netconfig *p; - char *tmp; + char *tmp, *tmp2; u_int i; if ((tmp=malloc(MAXNETCONFIGLINE)) == NULL) @@ -706,6 +706,7 @@ struct netconfig *ncp; free(tmp); return(NULL); } + tmp2 = tmp; /* * First we dup all the data from matched netconfig buffer. Then we * adjust some of the member pointer to a pre-allocated buffer where @@ -727,7 +728,7 @@ struct netconfig *ncp; if (p->nc_lookups == NULL) { free(p->nc_netid); free(p); - free(tmp); + free(tmp2); return(NULL); } for (i=0; i < p->nc_nlookups; i++) { -- 2.45.0