| From 69bc94779c2f035a9fffdb5327a54c3aeca73ed5 Mon Sep 17 00:00:00 2001 |
| From: Simon Kelley <simon@thekelleys.org.uk> |
| Date: Wed, 14 Aug 2019 20:44:50 +0100 |
| Subject: [PATCH] Fix memory leak in helper.c |
| |
| Thanks to Xu Mingjie <xumingjie1995@outlook.com> for spotting this. |
| |
| CVE: CVE-2019-14834 |
| Upstream-Status: Backport |
| Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> |
| --- |
| src/helper.c | 12 +++++++++--- |
| 1 file changed, 9 insertions(+), 3 deletions(-) |
| |
| diff --git a/src/helper.c b/src/helper.c |
| index 33ba120..c392eec 100644 |
| --- a/src/helper.c |
| +++ b/src/helper.c |
| @@ -82,7 +82,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd) |
| pid_t pid; |
| int i, pipefd[2]; |
| struct sigaction sigact; |
| - |
| + unsigned char *alloc_buff = NULL; |
| + |
| /* create the pipe through which the main program sends us commands, |
| then fork our process. */ |
| if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1) |
| @@ -188,11 +189,16 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd) |
| struct script_data data; |
| char *p, *action_str, *hostname = NULL, *domain = NULL; |
| unsigned char *buf = (unsigned char *)daemon->namebuff; |
| - unsigned char *end, *extradata, *alloc_buff = NULL; |
| + unsigned char *end, *extradata; |
| int is6, err = 0; |
| int pipeout[2]; |
| |
| - free(alloc_buff); |
| + /* Free rarely-allocated memory from previous iteration. */ |
| + if (alloc_buff) |
| + { |
| + free(alloc_buff); |
| + alloc_buff = NULL; |
| + } |
| |
| /* we read zero bytes when pipe closed: this is our signal to exit */ |
| if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1)) |
| -- |
| 1.7.10.4 |