Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / iproute2 / d21e88354b2a42b026384730a767f2108bcf8efe^! / . / lib / utils.c
commitd21e88354b2a42b026384730a767f2108bcf8efe[log] [tgz]
authorAndreas Henriksson <andreas@fatal.se>Fri Oct 12 10:56:42 2007 +0200
committerStephen Hemminger <shemminger@linux-foundation.org>Wed Oct 17 10:02:33 2007 -0700
tree949ed0f52bd2f574754e15e9be0dd9e546107cf1
parent59a3ffb004cfd550cbe0ab805c9a15682b88d78f [diff] [blame]
Fix corruption when using batch files with comments and broken lines.
The problem was that length of allocation changed but caller not told.

Anyway, the patch fixes a problem resulting in a double free
that occurs when using batch files that contains a special combination
of broken up lines and comments as reported in:
http://bugs.debian.org/398912

Thanks to Michal Pokrywka <mpokrywka@hoga.pl> for testcase and information
on which conditions problem could be reproduced under.

Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>

diff --git a/lib/utils.c b/lib/utils.c
index 4c42dfd..ffef6fe 100644
--- a/lib/utils.c
+++ b/lib/utils.c

@@ -642,9 +642,9 @@
 int cmdlineno;
 
 /* Like glibc getline but handle continuation lines and comments */
-size_t getcmdline(char **linep, size_t *lenp, FILE *in)
+ssize_t getcmdline(char **linep, size_t *lenp, FILE *in)
 {
-	size_t cc;
+	ssize_t cc;
 	char *cp;
 
 	if ((cc = getline(linep, lenp, in)) < 0)
@@ -672,9 +672,11 @@
 		if (cp)
 			*cp = '\0';
 
-		*linep = realloc(*linep, strlen(*linep) + strlen(line1) + 1);
+		*lenp = strlen(*linep) + strlen(line1) + 1;
+		*linep = realloc(*linep, *lenp);
 		if (!*linep) {
 			fprintf(stderr, "Out of memory\n");
+			*lenp = 0;
 			return -1;
 		}
 		cc += cc1 - 2;