From 24d3db5c649a73e87e51165f8e96eef76f95766d Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Wed, 23 Jul 2008 19:36:47 +0000
Subject: [PATCH] Avoid an occasional double free in getpwent() which corrupted
 memory.  It happened only in the case of a + record indicating to use YP, but
 with ypbind not actually running.  Problem found by pyr; solution found with
 millert ok millert pyr

---
 lib/libc/gen/getpwent.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/lib/libc/gen/getpwent.c b/lib/libc/gen/getpwent.c
index f369c22e83e..48b4e6f5e6a 100644
--- a/lib/libc/gen/getpwent.c
+++ b/lib/libc/gen/getpwent.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: getpwent.c,v 1.37 2008/07/06 22:19:39 deraadt Exp $ */
+/*	$OpenBSD: getpwent.c,v 1.38 2008/07/23 19:36:47 deraadt Exp $ */
 /*
  * Copyright (c) 2008 Theo de Raadt
  * Copyright (c) 1988, 1993
@@ -332,7 +332,7 @@ again:
 	if (__getpwent_has_yppw && (__ypmode != YPMODE_NONE)) {
 		const char *user, *host, *dom;
 		int keylen, datalen, r, s;
-		char *key, *data;
+		char *key, *data = NULL;
 
 		if (!__ypdomain) {
 			if (_yp_check(&__ypdomain) == 0) {
@@ -352,7 +352,6 @@ again:
 					__ypmode = YPMODE_NONE;
 					if (data)
 						free(data);
-					data = NULL;
 					goto again;
 				}
 				__ypcurrent = key;
@@ -371,7 +370,6 @@ again:
 			}
 			bcopy(data, __ypline, datalen);
 			free(data);
-			data = NULL;
 			break;
 		case YPMODE_NETGRP:
 			s = getnetgrent(&host, &user, &dom);
@@ -397,7 +395,6 @@ again:
 			}
 			bcopy(data, __ypline, datalen);
 			free(data);
-			data = NULL;
 			break;
 		case YPMODE_USER:
 			if (name) {
@@ -414,7 +411,6 @@ again:
 				}
 				bcopy(data, __ypline, datalen);
 				free(data);
-				data = NULL;
 			} else {		/* XXX */
 				__ypmode = YPMODE_NONE;
 				goto again;
-- 
2.20.1