[Pkg-gnupg-maint] Bug#773520: use-after-free
NIIBE Yutaka
gniibe at fsij.org
Wed Jan 7 05:58:04 CET 2015
Hello,
Thanks for your reviewing and reporting. This message is Cc-ed to
gnupg-devel.
On 12/19/2014 09:56 PM, Joshua Rogers wrote:
> Package: gnupg2
> Version: 2.1.1
> Severity: normal
[...]
> In ks-engine-hkp.c on line 509 'reftbl' is freed, but it is then
> used on line 511. I'm guessing this is a missing return;.
Right.
Here is my fix along with other fixes in map_host function.
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 3c6a003..c13cec9 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -325,6 +325,7 @@ static gpg_error_t
map_host (ctrl_t ctrl, const char *name, int force_reselect,
char **r_host, unsigned int *r_httpflags, char **r_poolname)
{
+ gpg_error_t err = 0;
hostinfo_t hi;
int idx;
@@ -361,8 +362,9 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
idx = create_new_hostinfo (name);
if (idx == -1)
{
+ err = gpg_error_from_syserror ();
xfree (reftbl);
- return gpg_error_from_syserror ();
+ return err;
}
hi = hosttable[idx];
@@ -504,9 +506,11 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
hi->pool = xtryrealloc (reftbl, (refidx+1) * sizeof *reftbl);
if (!hi->pool)
{
+ err = gpg_error_from_syserror ();
log_error ("shrinking index table in map_host failed: %s\n",
strerror (errno));
xfree (reftbl);
+ return err;
}
qsort (reftbl, refidx, sizeof *reftbl, sort_hostpool);
}
@@ -570,12 +574,13 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
*r_host = xtrystrdup (hi->name);
if (!*r_host)
{
+ err = gpg_error_from_syserror ();
if (r_poolname)
{
xfree (*r_poolname);
*r_poolname = NULL;
}
- return gpg_error_from_syserror ();
+ return err;
}
return 0;
}
--
More information about the Gnupg-devel
mailing list