From: millert Date: Thu, 8 Jan 2015 22:10:08 +0000 (+0000) Subject: Avoid a crash (free of bogus pointer) when there is a syntax error X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=b49d95e6e7394c8512018270249b920d9dcd976e;p=openbsd Avoid a crash (free of bogus pointer) when there is a syntax error reading the config socket by clearing the entire blacklist struct instead of just the tag string. Also avoid holes in the blacklist array on error since the code can't cope with them. OK beck@ --- diff --git a/libexec/spamd/sdl.c b/libexec/spamd/sdl.c index 40aac687cfa..a056286ff49 100644 --- a/libexec/spamd/sdl.c +++ b/libexec/spamd/sdl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sdl.c,v 1.19 2014/10/11 03:25:16 doug Exp $ */ +/* $OpenBSD: sdl.c,v 1.20 2015/01/08 22:10:08 millert Exp $ */ /* * Copyright (c) 2003-2007 Bob Beck. All rights reserved. @@ -73,18 +73,18 @@ sdl_add(char *sdname, char *sdstring, char ** addrs, int addrc) } else { if (debug > 0) printf("adding list %s; %d entries\n", sdname, addrc); - idx = blu; - } - if (idx == blu && blu == blc) { - struct sdlist *tmp; + if (blu == blc) { + struct sdlist *tmp; - tmp = reallocarray(blacklists, blc + 128, - sizeof(struct sdlist)); - if (tmp == NULL) - return (-1); - blacklists = tmp; - blc += 128; - sdl_clear(&blacklists[idx]); + tmp = reallocarray(blacklists, blc + 128, + sizeof(struct sdlist)); + if (tmp == NULL) + return (-1); + blacklists = tmp; + blc += 128; + sdl_clear(&blacklists[blu]); + } + idx = blu; } if ((blacklists[idx].tag = strdup(sdname)) == NULL) @@ -151,7 +151,7 @@ sdl_add(char *sdname, char *sdstring, char ** addrs, int addrc) } if (idx == blu) { blu++; - blacklists[blu].tag = NULL; + sdl_clear(&blacklists[blu]); } return (0); parse_error: @@ -159,6 +159,11 @@ sdl_add(char *sdname, char *sdstring, char ** addrs, int addrc) printf("sdl_add: parse error, \"%s\"\n", addrs[i]); misc_error: sdl_free(&blacklists[idx]); + if (idx != blu) { + memmove(&blacklists[idx], &blacklists[idx + 1], + (blu - idx) * sizeof(*blacklists)); + blu--; + } return (-1); }