nis: Fix leak on realloc failure in nis_getnames [BZ #28150]

If pos >= count but realloc fails, tmp will not have been placed in
getnames[pos] yet, and so will not be freed in free_null.  Detected
by Coverity.

Also remove misleading comment from nis_getnames(), since it actually
did properly release getnames when out of memory.

Tested-by: Carlos O'Donell <carlos@redhat.com>

diff --git a/nis/nis_subr.c b/nis/nis_subr.c
index dd0e30071df64cf56c1628b295c70773a7db0b53..6784fc353f8dc9acd2f36996ea7c3e8a9128e4ca 100644 (file)
--- a/nis/nis_subr.c
+++ b/nis/nis_subr.c
@@ -103,9 +103,6 @@ count_dots (const_nis_name str)
   return count;
 }
 
-/* If we run out of memory, we don't give already allocated memory
-   free. The overhead for bringing getnames back in a safe state to
-   free it is to big. */
 nis_name *
 nis_getnames (const_nis_name name)
 {
@@ -271,7 +268,10 @@ nis_getnames (const_nis_name name)
              nis_name *newp = realloc (getnames,
                                        (count + 1) * sizeof (char *));
              if (__glibc_unlikely (newp == NULL))
-               goto free_null;
+               {
+                 free (tmp);
+                 goto free_null;
+               }
              getnames = newp;
            }
          getnames[pos] = tmp;