installboot: double free

Tue, 06 Nov 2018 00:35:34 -0800 

Hello,

In installboot's fileprefix() function r is the return value
of realpath(). If snprintf() fails free(r) happens twice---
the second time is at label "err". From what I see the behavior
was introduced in util.c revision 1.12.
Does this fix look OK?

- Michael


Index: util.c
===================================================================
RCS file: /cvs/src/usr.sbin/installboot/util.c,v
retrieving revision 1.12
diff -u -p -r1.12 util.c
--- util.c      3 Jul 2018 20:14:41 -0000       1.12
+++ util.c      6 Nov 2018 08:26:45 -0000
@@ -125,6 +125,7 @@ fileprefix(const char *base, const char 
        }
        n = snprintf(s, PATH_MAX, "%s/%s", r, b);
        free(r);
+       r = NULL;
        if (n < 1 || n >= PATH_MAX) {
                warn("snprintf");
                goto err;

Reply via email to