Module Name: src Committed By: kamil Date: Thu Jun 21 23:05:28 UTC 2018
Modified Files: src/usr.sbin/sysinst: util.c Log Message: Fix invalid free(3) in sysinst(8) The path variable is assigned with an allocation on the heap with strdup(3). Later this pointer is changed with strsep(3) and this caused invalid free(3). Store the original pointer in a new helper variable opath and pass it to free(3). With this change, the problem is going away. Detected with MKSANITIZER=yes with AddressSanitizer. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/sysinst/util.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/usr.sbin/sysinst/util.c diff -u src/usr.sbin/sysinst/util.c:1.8 src/usr.sbin/sysinst/util.c:1.9 --- src/usr.sbin/sysinst/util.c:1.8 Fri May 18 12:23:22 2018 +++ src/usr.sbin/sysinst/util.c Thu Jun 21 23:05:28 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: util.c,v 1.8 2018/05/18 12:23:22 joerg Exp $ */ +/* $NetBSD: util.c,v 1.9 2018/06/21 23:05:28 kamil Exp $ */ /* * Copyright 1997 Piermont Information Systems Inc. @@ -1681,14 +1681,16 @@ set_menu_select(menudesc *m, void *arg) int binary_available(const char *prog) { - char *p, tmp[MAXPATHLEN], *path = getenv("PATH"); + char *p, tmp[MAXPATHLEN], *path = getenv("PATH"), *opath; if (path == NULL) return access(prog, X_OK) == 0; path = strdup(path); if (path == NULL) return 0; - + + opath = path; + while ((p = strsep(&path, ":")) != NULL) { if (strlcpy(tmp, p, MAXPATHLEN) >= MAXPATHLEN) continue; @@ -1697,11 +1699,11 @@ binary_available(const char *prog) if (strlcat(tmp, prog, MAXPATHLEN) >= MAXPATHLEN) continue; if (access(tmp, X_OK) == 0) { - free(path); + free(opath); return 1; } } - free(path); + free(opath); return 0; }