Prevent theoretical double free and leak on get_peer_sock_name.

Variable new_sockname will leak and sockname will be double freed if
both of the cases shown below are true.

1. realloc succeeds and doesn't return the original pointer
2. calling socket_func fails

Signed-off-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Reviewed-by: Arnaud Fontaine <arnau@debian.org>
Signed-off-by: Peter Harris <pharris@opentext.com>

diff --git a/src/xcb_auth.c b/src/xcb_auth.c
index 4839b78..a3a7e45 100644 (file)
--- a/src/xcb_auth.c
+++ b/src/xcb_auth.c
@@ -261,7 +261,7 @@ static struct sockaddr *get_peer_sock_name(int (*socket_func)(int,
 {
     socklen_t socknamelen = sizeof(struct sockaddr) + INITIAL_SOCKNAME_SLACK;
     socklen_t actual_socknamelen = socknamelen;
-    struct sockaddr *sockname = malloc(socknamelen), *new_sockname = NULL;
+    struct sockaddr *sockname = malloc(socknamelen);
 
     if (sockname == NULL)
         return NULL;
@@ -274,14 +274,17 @@ static struct sockaddr *get_peer_sock_name(int (*socket_func)(int,
 
     if (actual_socknamelen > socknamelen)
     {
+        struct sockaddr *new_sockname = NULL;
         socknamelen = actual_socknamelen;
 
-        if ((new_sockname = realloc(sockname, actual_socknamelen)) == NULL ||
-            socket_func(fd, new_sockname, &actual_socknamelen) == -1 ||
-            actual_socknamelen > socknamelen) 
+        if ((new_sockname = realloc(sockname, actual_socknamelen)) == NULL)
             goto sock_or_realloc_error;
 
         sockname = new_sockname;
+
+        if (socket_func(fd, sockname, &actual_socknamelen) == -1 ||
+            actual_socknamelen > socknamelen)
+            goto sock_or_realloc_error;
     }
 
     return sockname;