From 0e5d767884253353d0e1e09585bd0f506674c4bf Mon Sep 17 00:00:00 2001 From: Warner Losh Date: Wed, 13 Sep 2017 04:32:23 +0000 Subject: [PATCH] Minor fixes to edge cases in efi_get_next_variable_name Fix allocating more memory for the names (unlikely to be needed, but still best to get right) to ask for the length the kernel told use we needed, not the old length of the variable. Mind the proper NUL that we add in the space we allocate. Free the old name string before we allcoate a new one to limit what we leak to the last one (free passed in name for the last one in the list), and detect the last one by rv != 0 and errno == ENOENT, rather then just the former to avoid false positives if errno happens to be ENOENT on entry. Sponsored by: Netflix --- lib/libefivar/efivar.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/lib/libefivar/efivar.c b/lib/libefivar/efivar.c index bce4a1449ab2..4e02eb80caef 100644 --- a/lib/libefivar/efivar.c +++ b/lib/libefivar/efivar.c @@ -225,8 +225,13 @@ efi_get_next_variable_name(efi_guid_t **guid, char **name) if (efi_open_dev() == -1) return -1; + /* + * Always allocate enough for an extra NUL on the end, but don't tell + * the IOCTL about it so we can NUL terminate the name before converting + * it to UTF8. + */ if (buf == NULL) - buf = malloc(buflen); + buf = malloc(buflen + sizeof(efi_char)); again: efi_var_reset(&var); @@ -244,21 +249,23 @@ efi_get_next_variable_name(efi_guid_t **guid, char **name) rv = ioctl(efi_fd, EFIIOC_VAR_NEXT, &var); if (rv == 0 && var.name == NULL) { /* - * oops, too little space. Try again. + * Variable name not long enough, so allocate more space for the + * name and try again. As above, mind the NUL we add. */ - void *new = realloc(buf, buflen); - buflen = var.namesize; + void *new = realloc(buf, var.namesize + sizeof(efi_char)); if (new == NULL) { rv = -1; errno = ENOMEM; goto done; } + buflen = var.namesize; buf = new; goto again; } if (rv == 0) { - *name = NULL; /* XXX */ + free(*name); /* Free last name, to avoid leaking */ + *name = NULL; /* Force ucs2_to_utf8 to malloc new space */ var.name[var.namesize / sizeof(efi_char)] = 0; /* EFI doesn't NUL terminate */ rv = ucs2_to_utf8(var.name, name); if (rv != 0) @@ -269,9 +276,11 @@ efi_get_next_variable_name(efi_guid_t **guid, char **name) errout: /* XXX The linux interface expects name to be a static buffer -- fix or leak memory? */ + /* XXX for the moment, we free just before we'd leak, but still leak last one */ done: - if (errno == ENOENT) { + if (rv != 0 && errno == ENOENT) { errno = 0; + free(*name); /* Free last name, to avoid leaking */ return 0; }