[PATCH] tofu: fix null pointer dereference.
Ben Kibbey
bjk at luxsci.net
Wed Jul 20 01:16:09 CEST 2016
On Tue, Jul 19, 2016 at 10:55:16AM +0200, Justus Winter wrote:
> Hi Ben :)
>
> did you actually see this crash or are you fixing a compiler or static
> analyzer warning? Because...
Yeah, saw this crash.
> * Thus, count > DB_CACHE_ENTRIES, and
>
> int skip = DB_CACHE_ENTRIES - count;
>
> * skip < 0.
int skip = count - DB_CACHE_ENTRIES;
while (old_head && --skip > 0)
may fix it, but in my case old_head is aways NULL and is to the initial
db_cache near the start of the function.
>
> > while (-- skip > 0)
> > old_head = old_head->next;
>
> Which means it doesn't crash here (that was my first thought).
>
> > - *old_head->prevp = NULL;
> > + if (old_head)
> > + *old_head->prevp = NULL;
> >
> > while (old_head)
>
> But it also means that we will never free a handle in this case. Which
> means while your patch fixes a crash, the code still doesn't work in
> that case. Care to fix it?
I'll leave it to you or someone else to fix it but if you need more
information I'd be glad to give it to you.
BTW, the command line I am using is:
gpg --list-keys --with-colons --fixed-list-mode --with-fingerprint
--with-fingerprint --with-secret
with 'trust-model' set to tofu+pgp in gpg.conf.
--
Ben Kibbey
More information about the Gnupg-devel
mailing list