As the comment says, close() frees the variable, record. So we obtain

the length by evaluating the value from the copy, cbuf instead.  This
fixes a crash caused by previous commit (use-after-free)

Submitted by:	Dimitry Andric <dimitry andric com>
Pointy hat to:	delphij
This commit is contained in:
Xin LI 2009-05-14 23:09:33 +00:00
parent 9fe569d8f9
commit 718d3b2852

View File

@ -260,7 +260,7 @@ getent(char **cap, u_int *len, char **db_array, int fd, const char *name,
errno = ENOMEM;
return (-2);
}
*len = strlen(record);
*len = strlen(cbuf);
*cap = cbuf;
return (retval);
} else {