Discussion:
Memory leak in cephwrap_realpath (vfs_ceph.c)
(too old to reply)
Rungta, Vandana via samba-technical
2018-05-06 16:53:30 UTC
Permalink
There are a couple of memory leak issues in cephwrap_realpath in vfs_ceph.c


1. “result” is double allocated by SMB_MALLOC_ARRAY and by asprintf .
2. The error code paths for r < 0 need to SAFE_FREE “result”.


diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c

index 9abd321..18c5413 100644

--- a/source3/modules/vfs_ceph.c

+++ b/source3/modules/vfs_ceph.c

@@ -1187,30 +1187,30 @@ static struct smb_filename *cephwrap_realpath(struct vfs_handle_struct *handle,

TALLOC_CTX *ctx,

const struct smb_filename *smb_fname)

{

- char *result;

+ char *result = NULL;

const char *path = smb_fname->base_name;

size_t len = strlen(path);

struct smb_filename *result_fname = NULL;

+ int r;



- result = SMB_MALLOC_ARRAY(char, PATH_MAX+1);

if (len && (path[0] == '/')) {

- int r = asprintf(&result, "%s", path);

- if (r < 0) return NULL;

+ r = asprintf(&result, "%s", path);

} else if ((len >= 2) && (path[0] == '.') && (path[1] == '/')) {

if (len == 2) {

- int r = asprintf(&result, "%s",

+ r = asprintf(&result, "%s",

handle->conn->connectpath);

- if (r < 0) return NULL;

} else {

- int r = asprintf(&result, "%s/%s",

+ r = asprintf(&result, "%s/%s",

handle->conn->connectpath, &path[2]);

- if (r < 0) return NULL;

}

} else {

- int r = asprintf(&result, "%s/%s",

+ r = asprintf(&result, "%s/%s",

handle->conn->connectpath, path);

- if (r < 0) return NULL;

}

+ if (r < 0) {

+ SAFE_FREE(result);

+ return NULL;

+ }

DBG_DEBUG("[CEPH] realpath(%p, %s) = %s\n", handle, path, result);

result_fname = synthetic_smb_fname(ctx,
David Disseldorp via samba-technical
2018-05-07 09:11:42 UTC
Permalink
Hi Vandana,
Post by Rungta, Vandana via samba-technical
There are a couple of memory leak issues in cephwrap_realpath in vfs_ceph.c
1. “result” is double allocated by SMB_MALLOC_ARRAY and by asprintf .
2. The error code paths for r < 0 need to SAFE_FREE “result”.
Thanks for the report, your analysis looks correct to me.
Could you please resend your patch as an attachment or git pull URL, as
the inline version seems to be malformed.
Also, please add your sign-off to the commit.

Cheers, David

Loading...