[Pkg-gnupg-maint] Bug#773520: Bug#773520: use-after-free

NIIBE Yutaka gniibe at fsij.org
Wed Jan 7 04:58:04 UTC 2015


Hello,

Thanks for your reviewing and reporting.  This message is Cc-ed to
gnupg-devel.

On 12/19/2014 09:56 PM, Joshua Rogers wrote:
> Package: gnupg2
> Version: 2.1.1
> Severity: normal
[...]
> In ks-engine-hkp.c on line 509 'reftbl' is freed, but it is then
> used on line 511. I'm guessing this is a missing return;.

Right.

Here is my fix along with other fixes in map_host function.


diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 3c6a003..c13cec9 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -325,6 +325,7 @@ static gpg_error_t
 map_host (ctrl_t ctrl, const char *name, int force_reselect,
           char **r_host, unsigned int *r_httpflags, char **r_poolname)
 {
+  gpg_error_t err = 0;
   hostinfo_t hi;
   int idx;

@@ -361,8 +362,9 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
       idx = create_new_hostinfo (name);
       if (idx == -1)
         {
+          err = gpg_error_from_syserror ();
           xfree (reftbl);
-          return gpg_error_from_syserror ();
+          return err;
         }
       hi = hosttable[idx];

@@ -504,9 +506,11 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
           hi->pool = xtryrealloc (reftbl, (refidx+1) * sizeof *reftbl);
           if (!hi->pool)
             {
+              err = gpg_error_from_syserror ();
               log_error ("shrinking index table in map_host failed: %s\n",
                          strerror (errno));
               xfree (reftbl);
+              return err;
             }
           qsort (reftbl, refidx, sizeof *reftbl, sort_hostpool);
         }
@@ -570,12 +574,13 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
   *r_host = xtrystrdup (hi->name);
   if (!*r_host)
     {
+      err = gpg_error_from_syserror ();
       if (r_poolname)
         {
           xfree (*r_poolname);
           *r_poolname = NULL;
         }
-      return gpg_error_from_syserror ();
+      return err;
     }
   return 0;
 }
-- 



More information about the Pkg-gnupg-maint mailing list