From: Mark Andrews <marka@isc.org>
Date: Wed, 27 Nov 2013 19:45:30 +0000 (+1100)
Subject: 3677.   [bug]           'nsupdate' leaked memory if 'realm' was used multiple
X-Git-Tag: v9.6-ESV-R11b1~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db9a2a22918ad0e7f1ab9b2684f007ebe96bb866;p=thirdparty%2Fbind9.git

3677.   [bug]           'nsupdate' leaked memory if 'realm' was used multiple
                        times.  [RT #35073]

(cherry picked from commit 49ae04f6ee2f2e2578e6cd8cd3d4c74e9098ccb0)
---

diff --git a/CHANGES b/CHANGES
index 4e5fdb22d03..6cc10157322 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
+			times.  [RT #35073]
+
 3676.	[bug]		"named-checkconf -z" now checks zones of type
 			hint as well as master. [RT #35046]
 
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 7b64599665d..bb2029df26c 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -1421,16 +1421,20 @@ evaluate_realm(char *cmdline) {
 #ifdef GSSAPI
 	char *word;
 	char buf[1024];
+	int n;
 
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		if (realm != NULL)
-			isc_mem_free(mctx, realm);
+	if (realm != NULL) {
+		isc_mem_free(mctx, realm);
 		realm = NULL;
-		return (STATUS_MORE);
 	}
 
-	snprintf(buf, sizeof(buf), "@%s", word);
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0)
+		return (STATUS_MORE);
+
+	n = snprintf(buf, sizeof(buf), "@%s", word);
+	if (n < 0 || (size_t)n >= sizeof(buf))
+		fatal("realm is too long");
 	realm = isc_mem_strdup(mctx, buf);
 	if (realm == NULL)
 		fatal("out of memory");