/home/stefan/src/qemu/qemu.org/qemu/util/envlist.c

Bug Summary

File:	util/envlist.c
Location:	line 169, column 2
Description:	Use of memory after it is freed

Annotated Source Code

#include "qemu-common.h"

#include "qemu/queue.h"

#include "qemu/envlist.h"

struct envlist_entry {

const char *ev_var; /* actual env value */

QLIST_ENTRY(envlist_entry)struct { struct envlist_entry *le_next; struct envlist_entry *
*le_prev; } ev_link;

};

struct envlist {

QLIST_HEAD(, envlist_entry)struct { struct envlist_entry *lh_first; } el_entries; /* actual entries */

size_t el_count; /* number of entries */

};

static int envlist_parse(envlist_t *envlist,

const char *env, int (*)(envlist_t *, const char *));

* Allocates new envlist and returns pointer to that or

* NULL in case of error.

envlist_t *

envlist_create(void)

{

envlist_t *envlist;

if ((envlist = malloc(sizeof (*envlist))) == NULL((void*)0))

return (NULL((void*)0));

QLIST_INIT(&envlist->el_entries)do { (&envlist->el_entries)->lh_first = ((void*)0);
} while ( 0);

envlist->el_count = 0;

return (envlist);

}

* Releases given envlist and its entries.

void

envlist_free(envlist_t *envlist)

{

struct envlist_entry *entry;

assert(envlist != NULL)((envlist != ((void*)0)) ? (void) (0) : __assert_fail ("envlist != ((void*)0)"
, "/home/stefan/src/qemu/qemu.org/qemu/util/envlist.c", 44, __PRETTY_FUNCTION__
));

while (envlist->el_entries.lh_first != NULL((void*)0)) {

entry = envlist->el_entries.lh_first;

QLIST_REMOVE(entry, ev_link)do { if ((entry)->ev_link.le_next != ((void*)0)) (entry)->
ev_link.le_next->ev_link.le_prev = (entry)->ev_link.le_prev
; *(entry)->ev_link.le_prev = (entry)->ev_link.le_next;
} while ( 0);

free((char *)entry->ev_var);

free(entry);

}

free(envlist);

}

* Parses comma separated list of set/modify environment

* variable entries and updates given enlist accordingly.

* For example:

* envlist_parse(el, "HOME=foo,SHELL=/bin/sh");

* inserts/sets environment variables HOME and SHELL.

* Returns 0 on success, errno otherwise.

int

envlist_parse_set(envlist_t *envlist, const char *env)

{

return (envlist_parse(envlist, env, &envlist_setenv));

}

* Parses comma separated list of unset environment variable

* entries and removes given variables from given envlist.

* Returns 0 on success, errno otherwise.

int

envlist_parse_unset(envlist_t *envlist, const char *env)

{

return (envlist_parse(envlist, env, &envlist_unsetenv));

}

* Parses comma separated list of set, modify or unset entries

* and calls given callback for each entry.

* Returns 0 in case of success, errno otherwise.

static int

envlist_parse(envlist_t *envlist, const char *env,

int (*callback)(envlist_t *, const char *))

{

char *tmpenv, *envvar;

char *envsave = NULL((void*)0);

assert(callback != NULL)((callback != ((void*)0)) ? (void) (0) : __assert_fail ("callback != ((void*)0)"
, "/home/stefan/src/qemu/qemu.org/qemu/util/envlist.c", 98, __PRETTY_FUNCTION__
));

100

if ((envlist == NULL((void*)0)) || (env == NULL((void*)0)))

101

return (EINVAL22);

102

103

104

* We need to make temporary copy of the env string

105

* as strtok_r(3) modifies it while it tokenizes.

106

107

if ((tmpenv = strdup(env)) == NULL((void*)0))

108

return (errno(*__errno_location ()));

109

110

envvar = strtok_r(tmpenv, ",", &envsave);

111

while (envvar != NULL((void*)0)) {

112

if ((*callback)(envlist, envvar) != 0) {

113

free(tmpenv);

114

return (errno(*__errno_location ()));

115

}

116

envvar = strtok_r(NULL((void*)0), ",", &envsave);

117

}

118

119

free(tmpenv);

120

return (0);

121

}

122

123

124

* Sets environment value to envlist in similar manner

125

* than putenv(3).

126

127

* Returns 0 in success, errno otherwise.

128

129

int

130

envlist_setenv(envlist_t *envlist, const char *env)

131

{

132

struct envlist_entry *entry = NULL((void*)0);

133

const char *eq_sign;

134

size_t envname_len;

135

136

if ((envlist == NULL((void*)0)) || (env == NULL((void*)0)))

Assuming 'envlist' is not equal to null

→

←

Assuming 'env' is not equal to null

→

←

Taking false branch

→

137

return (EINVAL22);

138

139

/* find out first equals sign in given env */

140

if ((eq_sign = strchr(env, '=')) == NULL((void*)0))

←

Taking false branch

→

141

return (EINVAL22);

142

envname_len = eq_sign - env + 1;

143

144

145

* If there already exists variable with given name

146

* we remove and release it before allocating a whole

147

* new entry.

148

149

for (entry = envlist->el_entries.lh_first; entry != NULL((void*)0);

←

Assuming 'entry' is not equal to null

→

←

Loop condition is true. Entering loop body

→

150

entry = entry->ev_link.le_next) {

151

if (strncmp(entry->ev_var, env, envname_len) == 0)

←

Taking true branch

→

152

break;

←

Execution continues on line 155

→

153

}

154

155

if (entry != NULL((void*)0)) {

←

Taking true branch

→

156

157

free((char *)entry->ev_var);

158

free(entry);

←

Memory is released

→

159

} else {

160

envlist->el_count++;

161

}

162

163

if ((entry = malloc(sizeof (*entry))) == NULL((void*)0))

←

Taking false branch

→

164

return (errno(*__errno_location ()));

165

if ((entry->ev_var = strdup(env)) == NULL((void*)0)) {

←

Taking false branch

→

166

free(entry);

167

return (errno(*__errno_location ()));

168

}

169

QLIST_INSERT_HEAD(&envlist->el_entries, entry, ev_link)do { if (((entry)->ev_link.le_next = (&envlist->el_entries
)->lh_first) != ((void*)0)) (&envlist->el_entries)->
lh_first->ev_link.le_prev = &(entry)->ev_link.le_next
; (&envlist->el_entries)->lh_first = (entry); (entry
)->ev_link.le_prev = &(&envlist->el_entries)->
lh_first; } while ( 0);

←

Within the expansion of the macro 'QLIST_INSERT_HEAD':

a	Use of memory after it is freed

170

171

return (0);

172

}

173

174

175

* Removes given env value from envlist in similar manner

176

* than unsetenv(3). Returns 0 in success, errno otherwise.

177

178

int

179

envlist_unsetenv(envlist_t *envlist, const char *env)

180

{

181

struct envlist_entry *entry;

182

size_t envname_len;

183

184

if ((envlist == NULL((void*)0)) || (env == NULL((void*)0)))

185

return (EINVAL22);

186

187

/* env is not allowed to contain '=' */

188

if (strchr(env, '=') != NULL((void*)0))

189

return (EINVAL22);

190

191

192

* Find out the requested entry and remove

193

* it from the list.

194

195

envname_len = strlen(env);

196

for (entry = envlist->el_entries.lh_first; entry != NULL((void*)0);

197

entry = entry->ev_link.le_next) {

198

if (strncmp(entry->ev_var, env, envname_len) == 0)

199

break;

200

}

201

if (entry != NULL((void*)0)) {

202

203

free((char *)entry->ev_var);

204

free(entry);

205

206

envlist->el_count--;

207

}

208

return (0);

209

}

210

211

212

* Returns given envlist as array of strings (in same form that

213

* global variable environ is). Caller must free returned memory

214

* by calling free(3) for each element and for the array. Returned

215

* array and given envlist are not related (no common references).

216

217

* If caller provides count pointer, number of items in array is

218

* stored there. In case of error, NULL is returned and no memory

219

* is allocated.

220

221

char **

222

envlist_to_environ(const envlist_t *envlist, size_t *count)

223

{

224

struct envlist_entry *entry;

225

char **env, **penv;

226

227

penv = env = malloc((envlist->el_count + 1) * sizeof (char *));

228

if (env == NULL((void*)0))

229

return (NULL((void*)0));

230

231

for (entry = envlist->el_entries.lh_first; entry != NULL((void*)0);

232

entry = entry->ev_link.le_next) {

233

*(penv++) = strdup(entry->ev_var);

234

}

235

*penv = NULL((void*)0); /* NULL terminate the list */

236

237

if (count != NULL((void*)0))

238

*count = envlist->el_count;

239

240

return (env);

241

}