[PATCH] cpukit/libnetworking/libc/getifaddrs.c: Fix undefined behavior on freeing auto variable if NET_RT_IFLIST isn't defined.

Martin Galvan martin.galvan at tallertechnologies.com
Tue Oct 13 21:15:41 UTC 2015


The 'buf' variable in the getifaddrs function may be defined either as a pointer
or as an array, depending on whether NET_RT_IFLIST is defined. However, we end
up doing a free(buf) in both cases. This patch fixes that issue.

Closes #2427.

---
 cpukit/libnetworking/libc/getifaddrs.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/cpukit/libnetworking/libc/getifaddrs.c b/cpukit/libnetworking/libc/getifaddrs.c
index b5979cd..d181ca3 100644
--- a/cpukit/libnetworking/libc/getifaddrs.c
+++ b/cpukit/libnetworking/libc/getifaddrs.c
@@ -217,6 +217,18 @@ getifaddrs(struct ifaddrs **pif)
 			break;
 		}
 	}
+
+	if (icnt + dcnt + ncnt == 1) {
+		*pif = NULL;
+		free(buf);
+		return (0);
+	}
+
+	data = malloc(sizeof(struct ifaddrs) * icnt + dcnt + ncnt);
+	if (data == NULL) {
+		free(buf);
+		return(-1);
+	}
 #else	/* NET_RT_IFLIST */
 	ifc.ifc_buf = buf;
 	ifc.ifc_len = sizeof(buf);
@@ -244,18 +256,16 @@ getifaddrs(struct ifaddrs **pif)
 		else
 			ifr = (struct ifreq *)(((char *)sa) + SA_LEN(sa));
 	}
-#endif	/* NET_RT_IFLIST */

 	if (icnt + dcnt + ncnt == 1) {
 		*pif = NULL;
-		free(buf);
 		return (0);
 	}
+
 	data = malloc(sizeof(struct ifaddrs) * icnt + dcnt + ncnt);
-	if (data == NULL) {
-		free(buf);
+	if (data == NULL)
 		return(-1);
-	}
+#endif	/* NET_RT_IFLIST */

 	ifa = (struct ifaddrs *)(void *)data;
 	data += sizeof(struct ifaddrs) * icnt;
--
2.6.1



More information about the devel mailing list