[PATCH] tofu: fix null pointer dereference.

Justus Winter justus at g10code.com
Tue Jul 19 10:55:16 CEST 2016


Hi Ben :)

did you actually see this crash or are you fixing a compiler or static
analyzer warning?  Because...

Ben Kibbey <bjk at luxsci.net> writes:

> * g10/tofu.c (tofu_closedbs): test for NULL.
>
> Signed-off-by: Ben Kibbey <bjk at luxsci.net>
> ---
>  g10/tofu.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/g10/tofu.c b/g10/tofu.c
> index 471aec6..b0686e5 100644
> --- a/g10/tofu.c
> +++ b/g10/tofu.c
> @@ -1107,7 +1107,8 @@ tofu_closedbs (ctrl_t ctrl)

* old_head can only be NULL if db_cache_count was 0 before being
  incremented by count.

* Therefore, db_cache_count == count.

* We only free databases if db_cache_count > DB_CACHE_ENTRIES.

* Thus, count > DB_CACHE_ENTRIES, and

int skip = DB_CACHE_ENTRIES - count;

* skip < 0.

>            while (-- skip > 0)
>              old_head = old_head->next;

Which means it doesn't crash here (that was my first thought).

> -          *old_head->prevp = NULL;
> +          if (old_head)
> +            *old_head->prevp = NULL;
>  
>            while (old_head)

But it also means that we will never free a handle in this case.  Which
means while your patch fixes a crash, the code still doesn't work in
that case.  Care to fix it?

Cheers,
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: </pipermail/attachments/20160719/17b6795b/attachment.sig>


More information about the Gnupg-devel mailing list