https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207626
Bug ID: 207626
Summary: Memory leak in ctl.c
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: ct...@hardenedbsd.org
There is a memory leak in `sys/cam/ctl/ctl.c`.
`ctl_copyin_alloc` performs and returns an allocation with `malloc`:
static void *
ctl_copyin_alloc(void *user_addr, int len, char *error_str,
size_t error_str_len)
{
void *kptr;
kptr = malloc(len, M_CTL, M_WAITOK | M_ZERO);
if (copyin(user_addr, kptr, len) != 0) {
snprintf(error_str, error_str_len, "Error copying %d bytes "
"from user address %p to kernel address %p", len,
user_addr, kptr);
free(kptr, M_CTL);
return (NULL);
}
return (kptr);
}
`ctl_copyin_args` calls this function, but doesn't free the returned allocation
on the condition that the string is not terminated, before going to `bailout`:
static struct ctl_be_arg *
ctl_copyin_args(int num_args, struct ctl_be_arg *uargs,
char *error_str, size_t error_str_len)
{
...
uint8_t *tmpptr;
...
if (args[i].flags & CTL_BEARG_RD) {
tmpptr = ctl_copyin_alloc(args[i].value,
args[i].vallen, error_str, error_str_len);
if (tmpptr == NULL)
goto bailout;
if ((args[i].flags & CTL_BEARG_ASCII)
&& (tmpptr[args[i].vallen - 1] != '\0')) {
snprintf(error_str, error_str_len, "Argument "
"%d value is not NUL-terminated", i);
goto bailout;
}
args[i].kvalue = tmpptr;
} else {
args[i].kvalue = malloc(args[i].vallen,
M_CTL, M_WAITOK | M_ZERO);
}
}
return (args);
bailout:
ctl_free_args(num_args, args);
return (NULL);
}
Should be:
snprintf(error_str, error_str_len, "Argument "
"%d value is not NUL-terminated", i);
free(tmpptr);
goto bailout;
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
