File net-snmp-5.7.3-fix-potential-bad-free.patch of Package net-snmp

Overview Repositories Revisions Requests Users Attributes Meta

File net-snmp-5.7.3-fix-potential-bad-free.patch of Package net-snmp

commit d27ccfba26840ef8446152c007557ca4daa45a8f
Author: Jan Safranek <jsafranek@users.sourceforge.net>
Date:   Mon Jan 18 12:38:58 2016 +0100

Fixed potential bad free.
    
    When a 'default_domain' starts with a comma ',', the first strtok()
    returns pointer somwehere to the 'default_domain' duplicate and not
    to the first character. When cleaning up, make sure we try to free
    the duplicate (i.e. tokenized_domain) and not the first found token
    (which may be different).

diff --git a/snmplib/snmp_transport.c b/snmplib/snmp_transport.c
index 29bc50a6d2..b3cbcc2e7e 100644
--- a/snmplib/snmp_transport.c
+++ b/snmplib/snmp_transport.c
@@ -499,6 +499,7 @@ netsnmp_tdomain_transport_full(const char *application,
     int                 any_found = 0;
     char buf[SNMP_MAXPATH];
     char **lspec = 0;
+    char *tokenized_domain = 0;
 
     DEBUGMSGTL(("tdomain",
                 "tdomain_transport_full(\"%s\", \"%s\", %d, \"%s\", \"%s\")\n",
@@ -593,13 +594,13 @@ netsnmp_tdomain_transport_full(const char *application,
             else {
                 int commas = 0;
                 const char *cp = default_domain;
-                char *dup = strdup(default_domain);
                 char *ptr = NULL;
+                tokenized_domain = strdup(default_domain);
 
                 while (*++cp) if (*cp == ',') commas++;
                 lspec = calloc(commas+2, sizeof(char *));
                 commas = 1;
-                lspec[0] = strtok_r(dup, ",", &ptr);
+                lspec[0] = strtok_r(tokenized_domain, ",", &ptr);
                 while ((lspec[commas++] = strtok_r(NULL, ",", &ptr)))
                     ;
                 spec = (const char * const *)lspec;
@@ -653,7 +654,7 @@ netsnmp_tdomain_transport_full(const char *application,
                 t = match->f_create_from_tstring_new(addr, local, addr2);
             if (t) {
                 if (lspec) {
-                    free(lspec[0]);
+                    free(tokenized_domain);
                     free(lspec);
                 }
                 return t;
@@ -668,7 +669,7 @@ netsnmp_tdomain_transport_full(const char *application,
     if (!any_found)
         snmp_log(LOG_ERR, "No support for any checked transport domain\n");
     if (lspec) {
-        free(lspec[0]);
+        free(tokenized_domain);
         free(lspec);
     }
     return NULL;

Places

File net-snmp-5.7.3-fix-potential-bad-free.patch of Package net-snmp

Places