diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2003-01-20 02:52:51 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2003-01-20 02:52:51 +0000 |
| commit | 429aa0f95fe415fd85c6b4e5fcfc974c7a4b2525 (patch) | |
| tree | e5cab6cff22744c5baa460f76d03a6bf298e486a /gnu/usr.bin/cvs | |
| parent | b2aa197a56aab46a8e59978b089a67cfdff51ced (diff) | |
In dirswitch(), don't free dir_name until right before allocating
it again. This removes a potential double-free problem, whereby
this function could free dir_name and then immediately return due
to invalid directory syntax (without ever reassigning dir_name),
then re-enter and free dir_name again. Fix from Stefan Esser.
Diffstat (limited to 'gnu/usr.bin/cvs')
| -rw-r--r-- | gnu/usr.bin/cvs/src/server.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/gnu/usr.bin/cvs/src/server.c b/gnu/usr.bin/cvs/src/server.c index 762a6d72438..4a61b1dbf14 100644 --- a/gnu/usr.bin/cvs/src/server.c +++ b/gnu/usr.bin/cvs/src/server.c @@ -977,9 +977,6 @@ dirswitch (dir, repos) return; } - if (dir_name != NULL) - free (dir_name); - dir_len = strlen (dir); /* Check for a trailing '/'. This is not ISDIRSEP because \ in the @@ -995,6 +992,9 @@ dirswitch (dir, repos) return; } + if (dir_name != NULL) + free (dir_name); + dir_name = malloc (strlen (server_temp_dir) + dir_len + 40); if (dir_name == NULL) { |