frederik
/
libxcb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prevent theoretical double free and leak on get_peer_sock_name. 

Variable new_sockname will leak and sockname will be double freed if
both of the cases shown below are true.

1. realloc succeeds and doesn't return the original pointer
2. calling socket_func fails

Signed-off-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Reviewed-by: Arnaud Fontaine <arnau@debian.org>
Signed-off-by: Peter Harris <pharris@opentext.com>
This commit is contained in:
Rami Ylimäki 2011-03-23 17:47:50 +02:00 committed by Peter Harris
parent 3678159e4e
commit 70976d87f1
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/xcb_auth.c
View File

@ -261,7 +261,7 @@ static struct sockaddr *get_peer_sock_name(int (*socket_func)(int,
{
socklen_t socknamelen = sizeof(struct sockaddr) + INITIAL_SOCKNAME_SLACK;
socklen_t actual_socknamelen = socknamelen;
struct sockaddr *sockname = malloc(socknamelen), *new_sockname = NULL;
struct sockaddr *sockname = malloc(socknamelen);
if (sockname == NULL)
return NULL;
@ -274,14 +274,17 @@ static struct sockaddr *get_peer_sock_name(int (*socket_func)(int,
if (actual_socknamelen > socknamelen)
{
struct sockaddr *new_sockname = NULL;
socknamelen = actual_socknamelen;
if ((new_sockname = realloc(sockname, actual_socknamelen)) == NULL ||
socket_func(fd, new_sockname, &actual_socknamelen) == -1 ||
actual_socknamelen > socknamelen)
if ((new_sockname = realloc(sockname, actual_socknamelen)) == NULL)
goto sock_or_realloc_error;
sockname = new_sockname;
if (socket_func(fd, sockname, &actual_socknamelen) == -1 ||
actual_socknamelen > socknamelen)
goto sock_or_realloc_error;
}
return sockname;