Module Name: src
Committed By: jakllsch
Date: Wed Nov 27 17:33:03 UTC 2013
Modified Files:
src/sys/lib/libsa: loadfile_elf32.c
Log Message:
Fix a use-after-free (well, dealloc actually) issue.
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 src/sys/lib/libsa/loadfile_elf32.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/lib/libsa/loadfile_elf32.c
diff -u src/sys/lib/libsa/loadfile_elf32.c:1.29 src/sys/lib/libsa/loadfile_elf32.c:1.30
--- src/sys/lib/libsa/loadfile_elf32.c:1.29 Thu Feb 17 21:15:31 2011
+++ src/sys/lib/libsa/loadfile_elf32.c Wed Nov 27 17:33:03 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: loadfile_elf32.c,v 1.29 2011/02/17 21:15:31 christos Exp $ */
+/* $NetBSD: loadfile_elf32.c,v 1.30 2013/11/27 17:33:03 jakllsch Exp $ */
/*-
* Copyright (c) 1997, 2008 The NetBSD Foundation, Inc.
@@ -273,6 +273,7 @@ ELFNAMEEND(loadfile)(int fd, Elf_Ehdr *e
uint8_t desc[ELF_NOTE_NETBSD_DESCSZ];
} note;
char *shstr = NULL;
+ size_t shstrsz = 0;
int boot_load_ctf = 1;
/* some ports dont use the offset */
@@ -432,6 +433,7 @@ ELFNAMEEND(loadfile)(int fd, Elf_Ehdr *e
}
shstr = ALLOC(shp[elf->e_shstrndx].sh_size);
+ shstrsz = shp[elf->e_shstrndx].sh_size;
if (lseek(fd, shp[elf->e_shstrndx].sh_offset,
SEEK_SET) == -1) {
WARN(("lseek symbols"));
@@ -556,7 +558,7 @@ ELFNAMEEND(loadfile)(int fd, Elf_Ehdr *e
}
if (shstr) {
- DEALLOC(shstr, shp[elf->e_shstrndx].sh_size);
+ DEALLOC(shstr, shstrsz);
}
/*
