From f22de230a1a4e557fd996302b78468c60acc0536 Mon Sep 17 00:00:00 2001 From: Rebecca Cran Date: Sun, 21 Nov 2010 14:34:25 +0000 Subject: [PATCH] dispatch_add_command: Modify the logic so there's only one exit point instead of two. Only insert valid (non-NULL) values into the queue. dispatch_free_command: Ensure that item is not NULL before removing it from the queue and dereferencing the pointer. NULL out free'd pointers to catch any use-after-free bugs. PR: bin/146855 Submitted by: gcooper MFC after: 3 days --- usr.sbin/sysinstall/dispatch.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/usr.sbin/sysinstall/dispatch.c b/usr.sbin/sysinstall/dispatch.c index 0e4a6345da9e..44aa0facbd8c 100644 --- a/usr.sbin/sysinstall/dispatch.c +++ b/usr.sbin/sysinstall/dispatch.c @@ -136,8 +136,12 @@ typedef struct command_buffer_ { static void dispatch_free_command(command_buffer *item) { - REMQUE(item); - free(item->string); + if (item != NULL) { + REMQUE(item); + free(item->string); + item->string = NULL; + } + free(item); } @@ -155,19 +159,29 @@ dispatch_free_all(qelement *head) static command_buffer * dispatch_add_command(qelement *head, char *string) { - command_buffer *new; + command_buffer *new = NULL; new = malloc(sizeof(command_buffer)); - if (!new) - return NULL; + if (new != NULL) { - new->string = strdup(string); - INSQUEUE(new, head->q_back); + new->string = strdup(string); + + /* + * We failed to copy `string'; clean up the allocated + * resources. + */ + if (new->string == NULL) { + free(new); + new = NULL; + } else { + INSQUEUE(new, head->q_back); + } + } return new; } - + /* * Command processing */ @@ -280,7 +294,7 @@ dispatchCommand(char *str) return i; } - + /* * File processing */