Bug 1631609

Summary: [RHEL7] BAD_FREE: "free" frees incorrect pointer "tmp" found by covscan in "libtirpc-0.2.4-0.15.el7" package
Product: Red Hat Enterprise Linux 7 Reporter: Zhi Li <yieli>
Component: libtirpcAssignee: Steve Dickson <steved>
Status: CLOSED ERRATA QA Contact: Zhi Li <yieli>
Severity: urgent Docs Contact:
Priority: high    
Version: 7.6CC: jiyin, rhandlin, xzhou, yoyang
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libtirpc-0.2.4-0.16.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1631614 (view as bug list) Environment:
Last Closed: 2019-08-06 12:40:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zhi Li 2018-09-21 03:47:24 UTC 
Description of problem:
Please note there is a new Covscan defect need inspection:

Error: BAD_FREE (CWE-763): [#def11]
libtirpc-0.2.4/src/getnetconfig.c:708: address_assign: Assigning: "tmp" = "strchr(tmp, 0) + 1".
libtirpc-0.2.4/src/getnetconfig.c:714: incorrect_free: "free" frees incorrect pointer "tmp".
#  712|   	free(p->nc_netid);
#  713|   	free(p);
#  714|-> 	free(tmp);
#  715|   	return(NULL);
#  716|       }


Version-Release number of selected component (if applicable):
libtirpc-0.2.4-0.15.el7


Additional info:
The address originally returned by malloc() needs to be stored to be freed later on, not the shifted value of the address.

https://cov01.lab.eng.brq.redhat.com/covscanhub/waiving/24664/89669/#defects
Comment 2 Steve Dickson 2018-10-06 13:50:20 UTC 
commit 959b2001458bca8f9228014371aad6ccbeb95a68 (HEAD -> master, origin/master, origin/HEAD)
Author: Zhi Li <yieli>
Date:   Wed Sep 26 14:05:29 2018 -0400

    getnetconfig.c: fix a BAD_FREE (CWE-763)
    
    Signed-off-by: Steve Dickson <steved>
Comment 9 errata-xmlrpc 2019-08-06 12:40:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2061