In parse.y for OpenBSD's ntpd, would/could this result in a double free:
number : STRING {
u_long ulval;
const char *errstr;
ulval = strtonum($1, 0, INT_MAX, &errstr);
if (errstr) {
yyerror("\"%s\" invalid: %s", $1, errstr);
free($1);
YYERROR;
} else
$$ = ulval;
free($1);
}
;
From
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/parse.y?rev=1.30&content-type=text/x-cvsweb-markup
The if statement will free($1) if it is not a valid u_long, then at
the end of the block, there is a subsequent free($1).
I'm a C newbie and I'm trying to learn, so don't beat me with the clue
stick too hard.
Axton
