Rungta, Vandana via samba-technical
2018-05-06 16:53:30 UTC
There are a couple of memory leak issues in cephwrap_realpath in vfs_ceph.c
1. “result” is double allocated by SMB_MALLOC_ARRAY and by asprintf .
2. The error code paths for r < 0 need to SAFE_FREE “result”.
diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index 9abd321..18c5413 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -1187,30 +1187,30 @@ static struct smb_filename *cephwrap_realpath(struct vfs_handle_struct *handle,
TALLOC_CTX *ctx,
const struct smb_filename *smb_fname)
{
- char *result;
+ char *result = NULL;
const char *path = smb_fname->base_name;
size_t len = strlen(path);
struct smb_filename *result_fname = NULL;
+ int r;
- result = SMB_MALLOC_ARRAY(char, PATH_MAX+1);
if (len && (path[0] == '/')) {
- int r = asprintf(&result, "%s", path);
- if (r < 0) return NULL;
+ r = asprintf(&result, "%s", path);
} else if ((len >= 2) && (path[0] == '.') && (path[1] == '/')) {
if (len == 2) {
- int r = asprintf(&result, "%s",
+ r = asprintf(&result, "%s",
handle->conn->connectpath);
- if (r < 0) return NULL;
} else {
- int r = asprintf(&result, "%s/%s",
+ r = asprintf(&result, "%s/%s",
handle->conn->connectpath, &path[2]);
- if (r < 0) return NULL;
}
} else {
- int r = asprintf(&result, "%s/%s",
+ r = asprintf(&result, "%s/%s",
handle->conn->connectpath, path);
- if (r < 0) return NULL;
}
+ if (r < 0) {
+ SAFE_FREE(result);
+ return NULL;
+ }
DBG_DEBUG("[CEPH] realpath(%p, %s) = %s\n", handle, path, result);
result_fname = synthetic_smb_fname(ctx,
1. “result” is double allocated by SMB_MALLOC_ARRAY and by asprintf .
2. The error code paths for r < 0 need to SAFE_FREE “result”.
diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index 9abd321..18c5413 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -1187,30 +1187,30 @@ static struct smb_filename *cephwrap_realpath(struct vfs_handle_struct *handle,
TALLOC_CTX *ctx,
const struct smb_filename *smb_fname)
{
- char *result;
+ char *result = NULL;
const char *path = smb_fname->base_name;
size_t len = strlen(path);
struct smb_filename *result_fname = NULL;
+ int r;
- result = SMB_MALLOC_ARRAY(char, PATH_MAX+1);
if (len && (path[0] == '/')) {
- int r = asprintf(&result, "%s", path);
- if (r < 0) return NULL;
+ r = asprintf(&result, "%s", path);
} else if ((len >= 2) && (path[0] == '.') && (path[1] == '/')) {
if (len == 2) {
- int r = asprintf(&result, "%s",
+ r = asprintf(&result, "%s",
handle->conn->connectpath);
- if (r < 0) return NULL;
} else {
- int r = asprintf(&result, "%s/%s",
+ r = asprintf(&result, "%s/%s",
handle->conn->connectpath, &path[2]);
- if (r < 0) return NULL;
}
} else {
- int r = asprintf(&result, "%s/%s",
+ r = asprintf(&result, "%s/%s",
handle->conn->connectpath, path);
- if (r < 0) return NULL;
}
+ if (r < 0) {
+ SAFE_FREE(result);
+ return NULL;
+ }
DBG_DEBUG("[CEPH] realpath(%p, %s) = %s\n", handle, path, result);
result_fname = synthetic_smb_fname(ctx,