[Xcb-commit] src

Thu Mar 24 08:31:47 PDT 2011

src/xcb_auth.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

New commits:
commit 70976d87f18d15c2ccc28eb7728e4822d3849e0d
Author: Rami YlimÃ¤ki <rami.ylimaki at vincit.fi>
Date:   Wed Mar 23 17:47:50 2011 +0200

    Prevent theoretical double free and leak on get_peer_sock_name.
    
    Variable new_sockname will leak and sockname will be double freed if
    both of the cases shown below are true.
    
    1. realloc succeeds and doesn't return the original pointer
    2. calling socket_func fails
    
    Signed-off-by: Rami YlimÃ¤ki <rami.ylimaki at vincit.fi>
    Signed-off-by: Erkki SeppÃ¤lÃ¤ <erkki.seppala at vincit.fi>
    Reviewed-by: Arnaud Fontaine <arnau at debian.org>
    Signed-off-by: Peter Harris <pharris at opentext.com>

diff --git a/src/xcb_auth.c b/src/xcb_auth.c
index 4839b78..a3a7e45 100644
--- a/src/xcb_auth.c
+++ b/src/xcb_auth.c
@@ -261,7 +261,7 @@ static struct sockaddr *get_peer_sock_name(int (*socket_func)(int,
 {
     socklen_t socknamelen = sizeof(struct sockaddr) + INITIAL_SOCKNAME_SLACK;
     socklen_t actual_socknamelen = socknamelen;
-    struct sockaddr *sockname = malloc(socknamelen), *new_sockname = NULL;
+    struct sockaddr *sockname = malloc(socknamelen);
 
     if (sockname == NULL)
         return NULL;
@@ -274,14 +274,17 @@ static struct sockaddr *get_peer_sock_name(int (*socket_func)(int,
 
     if (actual_socknamelen > socknamelen)
     {
+        struct sockaddr *new_sockname = NULL;
         socknamelen = actual_socknamelen;
 
-        if ((new_sockname = realloc(sockname, actual_socknamelen)) == NULL ||
-            socket_func(fd, new_sockname, &actual_socknamelen) == -1 ||
-            actual_socknamelen > socknamelen) 
+        if ((new_sockname = realloc(sockname, actual_socknamelen)) == NULL)
             goto sock_or_realloc_error;
 
         sockname = new_sockname;
+
+        if (socket_func(fd, sockname, &actual_socknamelen) == -1 ||
+            actual_socknamelen > socknamelen)
+            goto sock_or_realloc_error;
     }
 
     return sockname;
