[PATCH] tofu: fix null pointer dereference.
Justus Winter
justus at g10code.com
Tue Jul 19 10:55:16 CEST 2016
Hi Ben :)
did you actually see this crash or are you fixing a compiler or static
analyzer warning? Because...
Ben Kibbey <bjk at luxsci.net> writes:
> * g10/tofu.c (tofu_closedbs): test for NULL.
>
> Signed-off-by: Ben Kibbey <bjk at luxsci.net>
> ---
> g10/tofu.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/g10/tofu.c b/g10/tofu.c
> index 471aec6..b0686e5 100644
> --- a/g10/tofu.c
> +++ b/g10/tofu.c
> @@ -1107,7 +1107,8 @@ tofu_closedbs (ctrl_t ctrl)
* old_head can only be NULL if db_cache_count was 0 before being
incremented by count.
* Therefore, db_cache_count == count.
* We only free databases if db_cache_count > DB_CACHE_ENTRIES.
* Thus, count > DB_CACHE_ENTRIES, and
int skip = DB_CACHE_ENTRIES - count;
* skip < 0.
> while (-- skip > 0)
> old_head = old_head->next;
Which means it doesn't crash here (that was my first thought).
> - *old_head->prevp = NULL;
> + if (old_head)
> + *old_head->prevp = NULL;
>
> while (old_head)
But it also means that we will never free a handle in this case. Which
means while your patch fixes a crash, the code still doesn't work in
that case. Care to fix it?
Cheers,
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: </pipermail/attachments/20160719/17b6795b/attachment.sig>
More information about the Gnupg-devel
mailing list