pppd: Eliminate memory leak with multiple instances of a string option

This eliminates the memory leak which occurs when a user gives the
same string option multiple times.  Although the leak is trivial under
normal conditions, the fact that it can be triggered by the user
means that it may be of interest to attackers, so let's plug the leak.

This also means that any o_string option without OPT_STATIC set needs
to have opt->addr pointing to a pointer which starts out NULL.  That
is the case for all current uses of o_string.

Signed-off-by: Paul Mackerras <paulus@samba.org>

diff --git a/pppd/options.c b/pppd/options.c
index e9042d1f64e2b5bbf05c74a91587f049f011c2b8..f66b7657bc31c9b197b8449fa12902293fdf85d1 100644 (file)
--- a/pppd/options.c
+++ b/pppd/options.c
@@ -776,10 +776,13 @@ process_option(opt, cmd, argv)
        if (opt->flags & OPT_STATIC) {
            strlcpy((char *)(opt->addr), *argv, opt->upper_limit);
        } else {
+           char **optptr = (char **)(opt->addr);
            sv = strdup(*argv);
            if (sv == NULL)
                novm("option argument");
-           *(char **)(opt->addr) = sv;
+           if (*optptr)
+               free(*optptr);
+           *optptr = sv;
        }
        break;