From 70976d87f18d15c2ccc28eb7728e4822d3849e0d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rami=20Ylim=C3=A4ki?= Date: Wed, 23 Mar 2011 17:47:50 +0200 Subject: [PATCH] Prevent theoretical double free and leak on get_peer_sock_name. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Variable new_sockname will leak and sockname will be double freed if both of the cases shown below are true. 1. realloc succeeds and doesn't return the original pointer 2. calling socket_func fails Signed-off-by: Rami Ylimäki Signed-off-by: Erkki Seppälä Reviewed-by: Arnaud Fontaine Signed-off-by: Peter Harris --- src/xcb_auth.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/xcb_auth.c b/src/xcb_auth.c index 4839b78..a3a7e45 100644 --- a/src/xcb_auth.c +++ b/src/xcb_auth.c @@ -261,7 +261,7 @@ static struct sockaddr *get_peer_sock_name(int (*socket_func)(int, { socklen_t socknamelen = sizeof(struct sockaddr) + INITIAL_SOCKNAME_SLACK; socklen_t actual_socknamelen = socknamelen; - struct sockaddr *sockname = malloc(socknamelen), *new_sockname = NULL; + struct sockaddr *sockname = malloc(socknamelen); if (sockname == NULL) return NULL; @@ -274,14 +274,17 @@ static struct sockaddr *get_peer_sock_name(int (*socket_func)(int, if (actual_socknamelen > socknamelen) { + struct sockaddr *new_sockname = NULL; socknamelen = actual_socknamelen; - if ((new_sockname = realloc(sockname, actual_socknamelen)) == NULL || - socket_func(fd, new_sockname, &actual_socknamelen) == -1 || - actual_socknamelen > socknamelen) + if ((new_sockname = realloc(sockname, actual_socknamelen)) == NULL) goto sock_or_realloc_error; sockname = new_sockname; + + if (socket_func(fd, sockname, &actual_socknamelen) == -1 || + actual_socknamelen > socknamelen) + goto sock_or_realloc_error; } return sockname; -- 2.7.4