From: Han Boetes <hboetes@gmail.com>
Subject: fix potential NULL dereference in copy_list() on OOM
To: tech@openbsd.org
Cc: Omar Polo <op@omarpolo.com>
Date: Mon, 23 Feb 2026 19:21:30 +0100

While reviewing echo.c I noticed that copy_list() carefully handles 
malloc() failure with a full cleanup and return NULL, but the strdup() 
call two lines below it has no error check. On OOM, this would result in 
a NULL l_name being silently added to the list, potentially causing a 
NULL dereference in the caller. The following patch makes the error 
handling consistent.

No idea how to trigger it, but it sure looks better.

BR
Han

--- a/echo.c
+++ b/echo.c
@@ -1011,8 +1011,17 @@
              }
              return (NULL);
          }
-        current->l_next = last;
          current->l_name = strdup(lp->l_name);
+        if (current->l_name == NULL) {
+            free(current);
+            for (current = last; current; current = nxt) {
+                nxt = current->l_next;
+                free(current->l_name);
+                free(current);
+            }
+            return (NULL);
+        }
+        current->l_next = last;
          last = current;
          lp = lp->l_next;
      }