From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dmitriy Yakovlev <bombermag@gmail.com>
Subject: [PATCH] cfgfile: fix uninitialized variable on load error
Date: Tue,  7 Feb 2017 05:51:06 +0300
Message-ID: <1486435866-30562-1-git-send-email-bombermag@gmail.com>
Cc: Dmitriy Yakovlev <bombermag@gmail.com>
To: dev@dpdk.org
Return-path: <dev-bounces@dpdk.org>
Received: from mail-lf0-f65.google.com (mail-lf0-f65.google.com
 [209.85.215.65]) by dpdk.org (Postfix) with ESMTP id 0D1A0FFA
 for <dev@dpdk.org>; Tue,  7 Feb 2017 03:51:24 +0100 (CET)
Received: by mail-lf0-f65.google.com with SMTP id h65so5478941lfi.3
 for <dev@dpdk.org>; Mon, 06 Feb 2017 18:51:24 -0800 (PST)
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Uninitialized scalar variable. Using uninitialized value cfg->sections[curr_section]->num_entries when calling rte_cfgfile_close.
And memory in variables cfg->sections[curr_section], sect->entries[curr_entry] maybe not equal NULL. We must decrement counters curr_section, curr_entry when failed to realloc.

Fixes: eaafbad419bf ("cfgfile: library to interpret config files")

Signed-off-by: Dmitriy Yakovlev <bombermag@gmail.com>
---
 lib/librte_cfgfile/rte_cfgfile.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/librte_cfgfile/rte_cfgfile.c b/lib/librte_cfgfile/rte_cfgfile.c
index d72052a..829109a 100644
--- a/lib/librte_cfgfile/rte_cfgfile.c
+++ b/lib/librte_cfgfile/rte_cfgfile.c
@@ -151,6 +151,7 @@ struct rte_cfgfile *
 					sizeof(*cfg) + sizeof(cfg->sections[0])
 					* allocated_sections);
 				if (n_cfg == NULL) {
+					curr_section--;
 					printf("Error - no more memory\n");
 					goto error1;
 				}
@@ -198,6 +199,7 @@ struct rte_cfgfile *
 					sizeof(sect->entries[0]) *
 					allocated_entries);
 				if (n_sect == NULL) {
+					curr_entry--;
 					printf("Error - no more memory\n");
 					goto error1;
 				}
@@ -233,6 +235,8 @@ struct rte_cfgfile *
 
 error1:
 	cfg->num_sections = curr_section + 1;
+	if (curr_section >= 0)
+		cfg->sections[curr_section]->num_entries = curr_entry + 1;
 	rte_cfgfile_close(cfg);
 error2:
 	fclose(f);
-- 
1.9.1