|
 |
b1bcb2 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
b1bcb2 |
From: Chris Coulson <chris.coulson@canonical.com>
|
|
|
b1bcb2 |
Date: Wed, 18 Nov 2020 00:59:24 +0000
|
|
|
b1bcb2 |
Subject: [PATCH] kern/parser: Fix a memory leak
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
The getline() function supplied to grub_parser_split_cmdline() returns
|
|
|
b1bcb2 |
a newly allocated buffer and can be called multiple times, but the
|
|
|
b1bcb2 |
returned buffer is never freed.
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
|
|
b1bcb2 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
b1bcb2 |
---
|
|
|
b1bcb2 |
grub-core/kern/parser.c | 20 ++++++++++++++++----
|
|
|
b1bcb2 |
1 file changed, 16 insertions(+), 4 deletions(-)
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
|
|
|
b1bcb2 |
index 94e8728d59a..23ebebf5ffa 100644
|
|
|
b1bcb2 |
--- a/grub-core/kern/parser.c
|
|
|
b1bcb2 |
+++ b/grub-core/kern/parser.c
|
|
|
b1bcb2 |
@@ -140,6 +140,7 @@ grub_parser_split_cmdline (const char *cmdline,
|
|
|
b1bcb2 |
char buffer[1024];
|
|
|
b1bcb2 |
char *bp = buffer;
|
|
|
b1bcb2 |
char *rd = (char *) cmdline;
|
|
|
b1bcb2 |
+ char *rp = rd;
|
|
|
b1bcb2 |
char varname[200];
|
|
|
b1bcb2 |
char *vp = varname;
|
|
|
b1bcb2 |
char *args;
|
|
|
b1bcb2 |
@@ -149,10 +150,18 @@ grub_parser_split_cmdline (const char *cmdline,
|
|
|
b1bcb2 |
*argv = NULL;
|
|
|
b1bcb2 |
do
|
|
|
b1bcb2 |
{
|
|
|
b1bcb2 |
- if (!rd || !*rd)
|
|
|
b1bcb2 |
+ if (rp == NULL || *rp == '\0')
|
|
|
b1bcb2 |
{
|
|
|
b1bcb2 |
+ if (rd != cmdline)
|
|
|
b1bcb2 |
+ {
|
|
|
b1bcb2 |
+ grub_free (rd);
|
|
|
b1bcb2 |
+ rd = rp = NULL;
|
|
|
b1bcb2 |
+ }
|
|
|
b1bcb2 |
if (getline)
|
|
|
b1bcb2 |
- getline (&rd, 1, getline_data);
|
|
|
b1bcb2 |
+ {
|
|
|
b1bcb2 |
+ getline (&rd, 1, getline_data);
|
|
|
b1bcb2 |
+ rp = rd;
|
|
|
b1bcb2 |
+ }
|
|
|
b1bcb2 |
else
|
|
|
b1bcb2 |
break;
|
|
|
b1bcb2 |
}
|
|
|
b1bcb2 |
@@ -160,12 +169,12 @@ grub_parser_split_cmdline (const char *cmdline,
|
|
|
b1bcb2 |
if (!rd)
|
|
|
b1bcb2 |
break;
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
- for (; *rd; rd++)
|
|
|
b1bcb2 |
+ for (; *rp != '\0'; rp++)
|
|
|
b1bcb2 |
{
|
|
|
b1bcb2 |
grub_parser_state_t newstate;
|
|
|
b1bcb2 |
char use;
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
- newstate = grub_parser_cmdline_state (state, *rd, &use;;
|
|
|
b1bcb2 |
+ newstate = grub_parser_cmdline_state (state, *rp, &use;;
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
/* If a variable was being processed and this character does
|
|
|
b1bcb2 |
not describe the variable anymore, write the variable to
|
|
|
b1bcb2 |
@@ -198,6 +207,9 @@ grub_parser_split_cmdline (const char *cmdline,
|
|
|
b1bcb2 |
}
|
|
|
b1bcb2 |
while (state != GRUB_PARSER_STATE_TEXT && !check_varstate (state));
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
+ if (rd != cmdline)
|
|
|
b1bcb2 |
+ grub_free (rd);
|
|
|
b1bcb2 |
+
|
|
|
b1bcb2 |
/* A special case for when the last character was part of a
|
|
|
b1bcb2 |
variable. */
|
|
|
b1bcb2 |
add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT);
|