From 096c44efa42326e5d5ab740e0368bacb52b26b9f Mon Sep 17 00:00:00 2001 From: emaste Date: Tue, 7 Feb 2012 04:06:21 +0000 Subject: [PATCH] MFC r227893 and r228119: Avoid double free creating a new RAID with invalid command line arguments. In build_volume(), check if arrays is allocated before traversing its items. While parsing the arrays input, it's possible that we reach the error path before initializing the 'arrays' pointer, which in turn leads to a NULL deference. git-svn-id: svn://svn.freebsd.org/base/stable/8@231113 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- usr.sbin/mfiutil/mfi_config.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/usr.sbin/mfiutil/mfi_config.c b/usr.sbin/mfiutil/mfi_config.c index f6f1a9da4..32cb17109 100644 --- a/usr.sbin/mfiutil/mfi_config.c +++ b/usr.sbin/mfiutil/mfi_config.c @@ -348,6 +348,7 @@ parse_array(int fd, int raid_type, char *array_str, struct array_info *info) error = mfi_lookup_drive(fd, cp, &device_id); if (error) { free(info->drives); + info->drives = NULL; return (error); } @@ -355,12 +356,14 @@ parse_array(int fd, int raid_type, char *array_str, struct array_info *info) error = errno; warn("Failed to fetch drive info for drive %s", cp); free(info->drives); + info->drives = NULL; return (error); } if (pinfo->fw_state != MFI_PD_STATE_UNCONFIGURED_GOOD) { warnx("Drive %u is not available", device_id); free(info->drives); + info->drives = NULL; return (EINVAL); } } @@ -817,9 +820,11 @@ error: free(config); free(state.volumes); free(state.arrays); - for (i = 0; i < narrays; i++) - free(arrays[i].drives); - free(arrays); + if (arrays != NULL) { + for (i = 0; i < narrays; i++) + free(arrays[i].drives); + free(arrays); + } close(fd); return (error); -- 2.45.0