This is the mail archive of the
newlib@sourceware.org
mailing list for the newlib project.
Fix for access to freed memory in cleanupdir()
- From: Sebastian Huber <sebastian dot huber at embedded-brains dot de>
- To: Newlib <newlib at sources dot redhat dot com>
- Date: Tue, 22 Dec 2009 14:31:12 +0100
- Subject: Fix for access to freed memory in cleanupdir()
Hi,
cleanupdir() uses freed memory in telldir.c:179. Please have a look at the
attached patch.
Have a nice day!
2009-12-22 Sebastian Huber <sebastian.huber@embedded-brains.de>
* libc/posix/telldir.c (_cleanupdir): Fixed usage of freed memory.
--
Sebastian Huber, embedded brains GmbH
Address : Obere Lagerstr. 30, D-82178 Puchheim, Germany
Phone : +49 89 18 90 80 79-6
Fax : +49 89 18 90 80 79-9
E-Mail : sebastian.huber@embedded-brains.de
PGP : Public key available on request.
Diese Nachricht ist keine geschäftliche Mitteilung im Sinne des EHUG.
Index: libc/posix/telldir.c
===================================================================
RCS file: /cvs/src/src/newlib/libc/posix/telldir.c,v
retrieving revision 1.6
diff -u -r1.6 telldir.c
--- libc/posix/telldir.c 27 Nov 2008 21:01:40 -0000 1.6
+++ libc/posix/telldir.c 22 Dec 2009 12:50:33 -0000
@@ -169,26 +169,26 @@
__lock_acquire(dd_hash_lock);
#endif
for (i = 0; i < NDIRHASH; ++i) {
+ struct ddloc head;
register struct ddloc *lp;
register struct ddloc *prevlp;
+
lp = dd_hash[i];
- while (lp != NULL && lp->loc_dirp == dirp) {
- dd_hash[i] = lp->loc_next;
- prevlp = lp;
- free((caddr_t)lp);
- lp = prevlp->loc_next;
- }
- prevlp = lp;
+ head.loc_next = lp;
+ prevlp = &head;
while (lp != NULL) {
- lp = lp->loc_next;
- if (lp != NULL && lp->loc_dirp == dirp) {
- prevlp->loc_next = lp->loc_next;
+ struct ddloc *nextlp;
+
+ nextlp = lp->loc_next;
+ if (lp->loc_dirp == dirp) {
+ prevlp->loc_next = nextlp;
free((caddr_t)lp);
- lp = prevlp;
}
else
prevlp = lp;
+ lp = nextlp;
}
+ dd_hash[i] = head.loc_next;
}
#ifdef HAVE_DD_LOCK
__lock_release(dd_hash_lock);