[ewg] [PATCH] libibumad: get_ca() can call release_ca() with uninitialized data

Ralph Campbell ralph.campbell at qlogic.com
Mon Feb 2 11:53:01 PST 2009


In umad.c, get_ca(), the error path when the call to
scandir() fails calls release_ca(ca) when the structure
has not yet been initialized. This can cause free() to
be called on random memory addresses.
The fix is to initialize ca->numports and ca->ports
earlier in get_ca().

Signed-off-by: Ralph Campbell <ralph.campbell at qlogic.com>

diff --git a/libibumad/src/umad.c b/libibumad/src/umad.c
index 78b956d..4f877e9 100644
--- a/libibumad/src/umad.c
+++ b/libibumad/src/umad.c
@@ -361,6 +361,8 @@ get_ca(char *ca_name, umad_ca_t *ca)
 	int r, i, ret;
 	int portnum;
 
+	ca->numports = 0;
+	memset(ca->ports, 0, sizeof ca->ports);
 	strncpy(ca->ca_name, ca_name, sizeof ca->ca_name);
 
 	snprintf(dir_name, sizeof(dir_name), "%s/%s", SYS_INFINIBAND,
@@ -394,8 +396,6 @@ get_ca(char *ca_name, umad_ca_t *ca)
 	}
 
 	ret = 0;
-	ca->numports = 0;
-	memset(ca->ports, 0, sizeof ca->ports);
 	for (i = 0; i < r; i++) {
 		portnum = 0;
 		if (!strcmp(".", namelist[i]->d_name) ||





More information about the ewg mailing list