File net-snmp-5.7.3-fix-potential-bad-free.patch of Package net-snmp.27328
commit d27ccfba26840ef8446152c007557ca4daa45a8f
Author: Jan Safranek <jsafranek@users.sourceforge.net>
Date: Mon Jan 18 12:38:58 2016 +0100
Fixed potential bad free.
When a 'default_domain' starts with a comma ',', the first strtok()
returns pointer somwehere to the 'default_domain' duplicate and not
to the first character. When cleaning up, make sure we try to free
the duplicate (i.e. tokenized_domain) and not the first found token
(which may be different).
diff --git a/snmplib/snmp_transport.c b/snmplib/snmp_transport.c
index 29bc50a6d2..b3cbcc2e7e 100644
--- a/snmplib/snmp_transport.c
+++ b/snmplib/snmp_transport.c
@@ -499,6 +499,7 @@ netsnmp_tdomain_transport_full(const char *application,
int any_found = 0;
char buf[SNMP_MAXPATH];
char **lspec = 0;
+ char *tokenized_domain = 0;
DEBUGMSGTL(("tdomain",
"tdomain_transport_full(\"%s\", \"%s\", %d, \"%s\", \"%s\")\n",
@@ -593,13 +594,13 @@ netsnmp_tdomain_transport_full(const char *application,
else {
int commas = 0;
const char *cp = default_domain;
- char *dup = strdup(default_domain);
char *ptr = NULL;
+ tokenized_domain = strdup(default_domain);
while (*++cp) if (*cp == ',') commas++;
lspec = calloc(commas+2, sizeof(char *));
commas = 1;
- lspec[0] = strtok_r(dup, ",", &ptr);
+ lspec[0] = strtok_r(tokenized_domain, ",", &ptr);
while ((lspec[commas++] = strtok_r(NULL, ",", &ptr)))
;
spec = (const char * const *)lspec;
@@ -653,7 +654,7 @@ netsnmp_tdomain_transport_full(const char *application,
t = match->f_create_from_tstring_new(addr, local, addr2);
if (t) {
if (lspec) {
- free(lspec[0]);
+ free(tokenized_domain);
free(lspec);
}
return t;
@@ -668,7 +669,7 @@ netsnmp_tdomain_transport_full(const char *application,
if (!any_found)
snmp_log(LOG_ERR, "No support for any checked transport domain\n");
if (lspec) {
- free(lspec[0]);
+ free(tokenized_domain);
free(lspec);
}
return NULL;
