1. malloc() not tested for failures within ruserpass() 2. port variable within rexec() can be uset uninitialized causing possible close of random socket (within bad: part of code)
This patch includes the fixes provided previously (minus the port var removal provided by the OP), plus some style fixes and source updating. Which makes me wonder: is libcompat-4.3's rexec.c used for compiling purposes at all? -Garrett
Garrett Cooper wrote: > This patch includes the fixes provided previously (minus the port var > removal provided by the OP), plus some style fixes and source > updating. > + if (*aname == 0) { > + *aname = malloc(strlen(tokval)+1); > + if (*aname == NULL) { > + warnx("malloc for aname failed\n"); > + goto bad; > + } > + strcpy(*aname, tokval); Minor: 1. Are you hate strdup() for a reason (in place of malloc+strcpy)? Very minor: 2. Are you sure the average user will be more happy with "malloc for aname failed" than with "Cannot allocate memory for user name" ? > bad: > - (void) fclose(cfile); > - return (-1); > + ret_code = -1; > +done: > + fclose(cfile); > + return ret_code; > } Major: 3. I found no exact specification of library function ruserpass(). It seems you may got *aname, *apass, *aacct NULL or non-NULL on enter. In the case you got NULL on enter, the memory may be allocated during the processing and returned to the caller. Now what about proper cleanup (against memory leaks) ? If the function exit with 0, it's clear - the caller must free the allocated memories. But what when the function fail ? To be on the safe side I would recommend to free() the memory if allocated by the failing ruserpass() But if you are sure (e.g. you know the specification of ...) the caller will free it even in the case of nonzero return code, it's not necesarry. > Which makes me wonder: is libcompat-4.3's rexec.c used for compiling > purposes at all? The cpio and tar seems to use it. By the way, it's very hard to analyze the patch containing both functional and stylistic changes ... Dan
FWIW, The undefined "port" variable was fixed in r278867.
For bugs matching the following conditions: - Status == In Progress - Assignee == "bugs@FreeBSD.org" - Last Modified Year <= 2017 Do - Set Status to "Open"
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>