After the call to malloc() the cfg object is only partially initialized
with memset(). If parsing of the ini file fails because of a parsing error
then the subsequent call to rte_cfgfile_close() segfaults due to
uninitialized memory.
This reproducible by attempting to parse a ini file that has a key=value
entry before the first [section] statement.
Signed-off-by: Allain Legacy <allain.leg...@windriver.com>
---
lib/librte_cfgfile/rte_cfgfile.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/lib/librte_cfgfile/rte_cfgfile.c b/lib/librte_cfgfile/rte_cfgfile.c
index 603dd73..7a9206d 100644
--- a/lib/librte_cfgfile/rte_cfgfile.c
+++ b/lib/librte_cfgfile/rte_cfgfile.c
@@ -94,18 +94,19 @@ struct rte_cfgfile *
int curr_entry = -1;
char buffer[256] = {0};
int lineno = 0;
+ size_t size;
struct rte_cfgfile *cfg = NULL;
FILE *f = fopen(filename, "r");
if (f == NULL)
return NULL;
- cfg = malloc(sizeof(*cfg) + sizeof(cfg->sections[0]) *
- allocated_sections);
+ size = sizeof(*cfg) + sizeof(cfg->sections[0]) * allocated_sections;
+ cfg = malloc(size);
if (cfg == NULL)
goto error2;
- memset(cfg->sections, 0, sizeof(cfg->sections[0]) * allocated_sections);
+ memset(cfg, 0, size);
while (fgets(buffer, sizeof(buffer), f) != NULL) {
char *pos = NULL;
--
1.8.3.1
