diff options
| author | Jakub Kicinski <jakub.kicinski@netronome.com> | 2018-11-21 16:53:17 -0500 |
|---|---|---|
| committer | Daniel Borkmann <daniel@iogearbox.net> | 2018-11-21 18:45:51 -0500 |
| commit | dde7011a824cfa815b03f853ec985ff46b740939 (patch) | |
| tree | 615738fa87387cf31f46bdcd37ce87cce9edc50f /tools/bpf/bpftool/prog.c | |
| parent | 569a933b03f3c48b392fe67c0086b3a6b9306b5a (diff) | |
tools: bpftool: fix potential NULL pointer dereference in do_load
This patch fixes a possible null pointer dereference in
do_load, detected by the semantic patch deref_null.cocci,
with the following warning:
./tools/bpf/bpftool/prog.c:1021:23-25: ERROR: map_replace is NULL but dereferenced.
The following code has potential null pointer references:
881 map_replace = reallocarray(map_replace, old_map_fds + 1,
882 sizeof(*map_replace));
883 if (!map_replace) {
884 p_err("mem alloc failed");
885 goto err_free_reuse_maps;
886 }
...
1019 err_free_reuse_maps:
1020 for (i = 0; i < old_map_fds; i++)
1021 close(map_replace[i].fd);
1022 free(map_replace);
Fixes: 3ff5a4dc5d89 ("tools: bpftool: allow reuse of maps with bpftool prog load")
Co-developed-by: Wen Yang <wen.yang99@zte.com.cn>
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'tools/bpf/bpftool/prog.c')
| -rw-r--r-- | tools/bpf/bpftool/prog.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c index 9785244acc7b..ccee180dfb76 100644 --- a/tools/bpf/bpftool/prog.c +++ b/tools/bpf/bpftool/prog.c | |||
| @@ -844,6 +844,7 @@ static int do_load(int argc, char **argv) | |||
| 844 | } | 844 | } |
| 845 | NEXT_ARG(); | 845 | NEXT_ARG(); |
| 846 | } else if (is_prefix(*argv, "map")) { | 846 | } else if (is_prefix(*argv, "map")) { |
| 847 | void *new_map_replace; | ||
| 847 | char *endptr, *name; | 848 | char *endptr, *name; |
| 848 | int fd; | 849 | int fd; |
| 849 | 850 | ||
| @@ -877,12 +878,15 @@ static int do_load(int argc, char **argv) | |||
| 877 | if (fd < 0) | 878 | if (fd < 0) |
| 878 | goto err_free_reuse_maps; | 879 | goto err_free_reuse_maps; |
| 879 | 880 | ||
| 880 | map_replace = reallocarray(map_replace, old_map_fds + 1, | 881 | new_map_replace = reallocarray(map_replace, |
| 881 | sizeof(*map_replace)); | 882 | old_map_fds + 1, |
| 882 | if (!map_replace) { | 883 | sizeof(*map_replace)); |
| 884 | if (!new_map_replace) { | ||
| 883 | p_err("mem alloc failed"); | 885 | p_err("mem alloc failed"); |
| 884 | goto err_free_reuse_maps; | 886 | goto err_free_reuse_maps; |
| 885 | } | 887 | } |
| 888 | map_replace = new_map_replace; | ||
| 889 | |||
| 886 | map_replace[old_map_fds].idx = idx; | 890 | map_replace[old_map_fds].idx = idx; |
| 887 | map_replace[old_map_fds].name = name; | 891 | map_replace[old_map_fds].name = name; |
| 888 | map_replace[old_map_fds].fd = fd; | 892 | map_replace[old_map_fds].fd = fd; |