routed(8): Avoid NULL de-reference and two possible memory leaks.

The reports and fixes are straightforward but it's nice to be able to confirm against NetBSD. CID: 271080, 272306, 272307 Obtained from: NetBSD (CVS ref. 1.21 - 1.23) MFC after: 2 weeks.
2016-05-15 02:30:34 +00:00 · 2016-05-15 02:30:34 +00:00 · 7b011d21db
commit 7b011d21db
parent 126b5bb6a4
1 changed files with 9 additions and 3 deletions
--- a/sbin/routed/parms.c
+++ b/sbin/routed/parms.c
@ -588,8 +588,10 @@ parse_parms(char *line,
 			intnetp->intnet_metric = (int)strtol(val+1,&p,0);
 			if (*p != '\0'
 			    || intnetp->intnet_metric <= 0
-			    || intnetp->intnet_metric >= HOPCNT_INFINITY)
+			    || intnetp->intnet_metric >= HOPCNT_INFINITY) {
+				free(intnetp);
 				return bad_str(line);
+			}
 		}
 		if (!getnet(buf, &intnetp->intnet_addr, &intnetp->intnet_mask)
 		    || intnetp->intnet_mask == HOST_MASK
@ -670,7 +672,7 @@ parse_parms(char *line,
 			 * The parm_net stuff is needed to allow several
 			 * -F settings.
 			 */
-			if (!getnet(val0, &addr, &mask)
+			if (val0 == NULL || !getnet(val0, &addr, &mask)
 			    || parm.parm_name[0] != '\0')
 				return bad_str(tgt);
 			parm.parm_net = addr;
@ -681,6 +683,8 @@ parse_parms(char *line,
 			/* since cleartext passwords are so weak allow
 			 * them anywhere
 			 */
+			if (val0 == NULL)
+				return bad_str("no passwd");
 			msg = get_passwd(tgt,val0,&parm,RIP_AUTH_PW,1);
 			if (msg) {
 				*val0 = '\0';
@ -812,8 +816,10 @@ parse_parms(char *line,
 				    || !getnet(buf2, &tg->tgate_nets[i].net,
 					       &tg->tgate_nets[i].mask)
 				    || tg->tgate_nets[i].net == RIP_DEFAULT
-				    || tg->tgate_nets[i].mask == 0)
+				    || tg->tgate_nets[i].mask == 0) {
+					free(tg);
 					return bad_str(tgt);
+				}
 				i++;
 			}
 			tg->tgate_next = tgates;