xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

kernel: fix bogus free in sysexec.

Browse source 
we free the wrong pointer in the waserror() block.
This commit is contained in:
cinap_lenrek 2014-02-02 15:11:19 +01:00
parent 269788514c
commit 0cdb32cc18
1 changed files with 10 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
sys/src/9/port/sysproc.c
View file

@ -251,8 +251,7 @@ sysexec(va_list list)
Image *img; Image *img;
Tos *tos; Tos *tos;
a = nil; args = elem = nil;
elem = nil;
file0 = va_arg(list, char*); file0 = va_arg(list, char*);
validaddr((uintptr)file0, 1, 0); validaddr((uintptr)file0, 1, 0);
argp0 = va_arg(list, char**); argp0 = va_arg(list, char**);
@ -260,7 +259,7 @@ sysexec(va_list list)
if(waserror()){ if(waserror()){
free(file0); free(file0);
free(elem); free(elem);
free(a); free(args);
/* Disaster after commit */ /* Disaster after commit */
if(!up->seg[SSEG]) if(!up->seg[SSEG])
pexit(up->errstr, 1); pexit(up->errstr, 1);
@ -396,7 +395,7 @@ sysexec(va_list list)
argv = (char**)(tstk - ssize); argv = (char**)(tstk - ssize);
charp = (char*)(tstk - nbytes); charp = (char*)(tstk - nbytes);
args = charp; a = charp;
if(indir) if(indir)
argp = progarg; argp = progarg;
else else
@ -414,18 +413,18 @@ sysexec(va_list list)
} }
/* copy args; easiest from new process's stack */ /* copy args; easiest from new process's stack */
n = charp - args; n = charp - a;
if(n > 128) /* don't waste too much space on huge arg lists */ if(n > 128) /* don't waste too much space on huge arg lists */
n = 128; n = 128;
a = smalloc(n); args = smalloc(n);
memmove(a, args, n); memmove(args, a, n);
if(n>0 && a[n-1]!='\0'){ if(n>0 && args[n-1]!='\0'){
/* make sure last arg is NUL-terminated */ /* make sure last arg is NUL-terminated */
/* put NUL at UTF-8 character boundary */ /* put NUL at UTF-8 character boundary */
for(i=n-1; i>0; --i) for(i=n-1; i>0; --i)
if(fullrune(a+i, n-i)) if(fullrune(args+i, n-i))
break; break;
a[i] = 0; args[i] = 0;
n = i+1; n = i+1;
} }
@ -505,7 +504,7 @@ sysexec(va_list list)
free(up->text); free(up->text);
up->text = elem; up->text = elem;
free(up->args); free(up->args);
up->args = a; up->args = args;
up->nargs = n; up->nargs = n;
up->setargs = 0; up->setargs = 0;