BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory

In GH issue #2586 @Bbulatov reported a theoretical null-deref in
env_expand() in case there's no memory anymore to expand an environment
variable. The function should return NULL in this case so that the only
caller (str2sa_range) sees it. In practice it may only happen during
boot thus is harmless but better fix it since it's easy. This can be
backported to all versions where this applies.

diff --git a/src/tools.c b/src/tools.c
index 7608e7e6daa7eeee6eed50c5a0d5ed3cbe05a0dc..b297d046b40da4b2da34e3c3a02c5dc924972de3 100644 (file)
--- a/src/tools.c
+++ b/src/tools.c
@@ -4627,8 +4627,9 @@ int my_unsetenv(const char *name)
  * corresponding value. A variable is identified as a series of alphanumeric
  * characters or underscores following a '$' sign. The <in> string must be
  * free()able. NULL returns NULL. The resulting string might be reallocated if
- * some expansion is made. Variable names may also be enclosed into braces if
- * needed (eg: to concatenate alphanum characters).
+ * some expansion is made (an NULL will be returned on failure). Variable names
+ * may also be enclosed into braces if needed (eg: to concatenate alphanum
+ * characters).
  */
 char *env_expand(char *in)
 {
@@ -4683,6 +4684,9 @@ char *env_expand(char *in)
                }
 
                out = my_realloc2(out, out_len + (txt_end - txt_beg) + val_len + 1);
+               if (!out)
+                       goto leave;
+
                if (txt_end > txt_beg) {
                        memcpy(out + out_len, txt_beg, txt_end - txt_beg);
                        out_len += txt_end - txt_beg;
@@ -4697,6 +4701,7 @@ char *env_expand(char *in)
 
        /* here we know that <out> was allocated and that we don't need <in> anymore */
        free(in);
+leave:
        return out;
 }