multipathd: fix REALLOC_REPLY with max length reply
authorBenjamin Marzinski <bmarzins@redhat.com>
Fri, 17 May 2019 16:14:09 +0000 (11:14 -0500)
committerChristophe Varoqui <christophe.varoqui@opensvc.com>
Wed, 3 Jul 2019 06:03:52 +0000 (08:03 +0200)
Commit cd5a9797e added code to REALLOC_REPLY() that intended to stop
growing the reply buffer after it reached a maximum size. However this
code didn't stop the realloc() from happening. Worse, if the realloc()
failed, multipathd would double free the reply buffer. Found by
Coverity.

Fixes: cd5a9797e "libmpathcmd(coverity): limit reply length"
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
multipathd/cli.h

index f3fa077..32dcffa 100644 (file)
@@ -100,15 +100,16 @@ enum {
                        if (m >= MAX_REPLY_LEN) {               \
                                condlog(1, "Warning: max reply length exceeded"); \
                                free(tmp);                      \
-                               r = NULL;                       \
+                               (r) = NULL;                     \
+                       } else {                                \
+                               (r) = REALLOC((r), (m) * 2);    \
+                               if ((r)) {                      \
+                                       memset((r) + (m), 0, (m)); \
+                                       (m) *= 2;               \
+                               }                               \
+                               else                            \
+                                       free(tmp);              \
                        }                                       \
-                       (r) = REALLOC((r), (m) * 2);            \
-                       if ((r)) {                              \
-                               memset((r) + (m), 0, (m));      \
-                               (m) *= 2;                       \
-                       }                                       \
-                       else                                    \
-                               free(tmp);                      \
                }                                               \
        } while (0)