From 28926a0e2f144b09ac9e0a4d019c7f649fd9d5c1 Mon Sep 17 00:00:00 2001
From: Jeremy Kerr <jk@ozlabs.org>
Date: Wed, 12 Mar 2014 14:22:47 +0800
Subject: ui/ncurses: Don't free item in pmenu_item_setup

Currently pmenu_item_setup may free its item parameter on error.

This makes it non-obvious whether the item is still allocated on exit to
the caller.

Instead, this change removes the talloc_free, and requires that the
caller do this on error. This makes the potential use-after-free in
cui_boot_editor_on_exit obvious, so we fix that too.

Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
---
 ui/ncurses/nc-menu.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'ui/ncurses/nc-menu.c')

diff --git a/ui/ncurses/nc-menu.c b/ui/ncurses/nc-menu.c
index cd7c54e..654c389 100644
--- a/ui/ncurses/nc-menu.c
+++ b/ui/ncurses/nc-menu.c
@@ -106,10 +106,8 @@ struct pmenu_item *pmenu_item_setup(struct pmenu *menu, struct pmenu_item *i,
 	i->pmenu = menu;
 	i->nci = new_item(name, NULL);
 
-	if (!i->nci) {
-		talloc_free(i);
+	if (!i->nci)
 		return NULL;
-	}
 
 	set_item_userptr(i->nci, i);
 
-- 
cgit v1.2.1