[PATCH master 1/3] commands: readline: fix memory leak on wrong usage

[PATCH master 1/3] commands: readline: fix memory leak on wrong usage

[Ahmad Fatoum]

Later error-handling frees buf, but the first early exit doesn't.
Move buf beyond it to fix the memory leak.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 commands/readline.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/commands/readline.c b/commands/readline.c
index 403ac8563a36..7933a58c08b4 100644
--- a/commands/readline.c
+++ b/commands/readline.c
@@ -10,11 +10,13 @@
 
 static int do_readline(int argc, char *argv[])
 {
-	char *buf = xzalloc(CONFIG_CBSIZE);
+	char *buf;
 
 	if (argc < 3)
 		return COMMAND_ERROR_USAGE;
 
+	buf = xzalloc(CONFIG_CBSIZE);
+
 	command_slice_release();
 
 	if (readline(argv[1], buf, CONFIG_CBSIZE) < 0) {
-- 
2.29.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH master 2/3] common: readline: fix possible buffer overflows

[Ahmad Fatoum]

Entering very long lines can crash the readline prompt due to missing
NUL terminator. Make sure we don't exceed CONFIG_CBSIZE to avoid this.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 commands/readline.c | 2 +-
 common/hush.c       | 2 +-
 common/parser.c     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/commands/readline.c b/commands/readline.c
index 7933a58c08b4..57c8fbd7bc80 100644
--- a/commands/readline.c
+++ b/commands/readline.c
@@ -19,7 +19,7 @@ static int do_readline(int argc, char *argv[])
 
 	command_slice_release();
 
-	if (readline(argv[1], buf, CONFIG_CBSIZE) < 0) {
+	if (readline(argv[1], buf, CONFIG_CBSIZE - 1) < 0) {
 		command_slice_acquire();
 		free(buf);
 		return COMMAND_ERROR;
diff --git a/common/hush.c b/common/hush.c
index 763e6cf74bbc..0475401321d1 100644
--- a/common/hush.c
+++ b/common/hush.c
@@ -451,7 +451,7 @@ static void get_user_input(struct in_str *i)
 
 	command_slice_release();
 
-	n = readline(prompt, console_buffer, CONFIG_CBSIZE);
+	n = readline(prompt, console_buffer, CONFIG_CBSIZE - 1);
 
 	command_slice_acquire();
 
diff --git a/common/parser.c b/common/parser.c
index fb9ef42e7fab..584d4b0efece 100644
--- a/common/parser.c
+++ b/common/parser.c
@@ -270,7 +270,7 @@ int run_shell(void)
 	login();
 
 	for (;;) {
-		len = readline (CONFIG_PROMPT, console_buffer, CONFIG_CBSIZE);
+		len = readline (CONFIG_PROMPT, console_buffer, CONFIG_CBSIZE - 1);
 
 		if (len > 0)
 			strcpy (lastcommand, console_buffer);
-- 
2.29.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH master 3/3] sandbox: fix use of initialized variable in error path

[Ahmad Fatoum]

fd could be uninitialized in some error paths. Give it a value that
close can be called on without adverse effect.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 arch/sandbox/os/common.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/sandbox/os/common.c b/arch/sandbox/os/common.c
index fd75cc04cc16..d09604af1400 100644
--- a/arch/sandbox/os/common.c
+++ b/arch/sandbox/os/common.c
@@ -321,7 +321,7 @@ int linux_open_hostfile(struct hf_info *hf)
 {
 	char *buf = NULL;
 	struct stat s;
-	int fd;
+	int fd = -1;
 
 	printf("add %s %sbacked by file %s%s\n", hf->devname,
 	       hf->filename ? "" : "initially un", hf->filename ?: "",
@@ -408,7 +408,7 @@ int linux_open_hostfile(struct hf_info *hf)
 	return 0;
 
 err_out:
-	if (fd > 0)
+	if (fd >= 0)
 		close(fd);
 	free(buf);
 	return -1;
-- 
2.29.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH master 1/3] commands: readline: fix memory leak on wrong usage

[Sascha Hauer]

On Mon, Mar 22, 2021 at 07:55:25AM +0100, Ahmad Fatoum wrote:
> Later error-handling frees buf, but the first early exit doesn't.
> Move buf beyond it to fix the memory leak.
> 
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---

Applied, thanks

Sascha

>  commands/readline.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/commands/readline.c b/commands/readline.c
> index 403ac8563a36..7933a58c08b4 100644
> --- a/commands/readline.c
> +++ b/commands/readline.c
> @@ -10,11 +10,13 @@
>  
>  static int do_readline(int argc, char *argv[])
>  {
> -	char *buf = xzalloc(CONFIG_CBSIZE);
> +	char *buf;
>  
>  	if (argc < 3)
>  		return COMMAND_ERROR_USAGE;
>  
> +	buf = xzalloc(CONFIG_CBSIZE);
> +
>  	command_slice_release();
>  
>  	if (readline(argv[1], buf, CONFIG_CBSIZE) < 0) {
> -- 
> 2.29.2
> 
> 
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox