* possible memory leak in commands/nand.c?
@ 2009-12-20 19:33 Robert P. J. Day
2009-12-21 8:45 ` Sascha Hauer
0 siblings, 1 reply; 4+ messages in thread
From: Robert P. J. Day @ 2009-12-20 19:33 UTC (permalink / raw)
To: U-Boot Version 2 (barebox)
once again, perhaps i'm just misreading this but consider this code
from commands/nand.c, noting the two early calls to asprintf():
===== begin =====
bb = xzalloc(sizeof(*bb));
bb->devname = asprintf("/dev/%s", basename(path));
if (name)
bb->cdev.name = strdup(name);
else
bb->cdev.name = asprintf("%s.bb", basename(path));
ret = stat(bb->devname, &s);
if (ret)
goto free_out;
bb->raw_size = s.st_size;
bb->fd = open(bb->devname, O_RDWR);
if (bb->fd < 0) {
ret = -ENODEV;
goto free_out;
}
ret = ioctl(bb->fd, MEMGETINFO, &bb->info);
if (ret)
goto free_out;
nand_bb_calc_size(bb);
bb->cdev.ops = &nand_bb_ops;
bb->cdev.priv = bb;
devfs_create(&bb->cdev);
return 0;
free_out:
free(bb);
return ret;
===== end =====
if something in the latter part of that code fails and control jumps
to the label "free_out", won't this code fail to free() the memory
allocated in the two asprintf() calls? isn't the programmer
explicitly required to free memory allocated with asprintf() or
vasprintf() calls?
rday
--
========================================================================
Robert P. J. Day Waterloo, Ontario, CANADA
Linux Consulting, Training and Kernel Pedantry.
Web page: http://crashcourse.ca
Twitter: http://twitter.com/rpjday
========================================================================
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: possible memory leak in commands/nand.c?
2009-12-20 19:33 possible memory leak in commands/nand.c? Robert P. J. Day
@ 2009-12-21 8:45 ` Sascha Hauer
2009-12-21 9:17 ` Robert P. J. Day
0 siblings, 1 reply; 4+ messages in thread
From: Sascha Hauer @ 2009-12-21 8:45 UTC (permalink / raw)
To: Robert P. J. Day; +Cc: U-Boot Version 2 (barebox)
On Sun, Dec 20, 2009 at 02:33:11PM -0500, Robert P. J. Day wrote:
>
> once again, perhaps i'm just misreading this but consider this code
> from commands/nand.c, noting the two early calls to asprintf():
>
> ===== begin =====
>
> bb = xzalloc(sizeof(*bb));
> bb->devname = asprintf("/dev/%s", basename(path));
> if (name)
> bb->cdev.name = strdup(name);
> else
> bb->cdev.name = asprintf("%s.bb", basename(path));
>
> ret = stat(bb->devname, &s);
> if (ret)
> goto free_out;
>
> bb->raw_size = s.st_size;
>
> bb->fd = open(bb->devname, O_RDWR);
> if (bb->fd < 0) {
> ret = -ENODEV;
> goto free_out;
> }
>
> ret = ioctl(bb->fd, MEMGETINFO, &bb->info);
> if (ret)
> goto free_out;
>
> nand_bb_calc_size(bb);
> bb->cdev.ops = &nand_bb_ops;
> bb->cdev.priv = bb;
>
> devfs_create(&bb->cdev);
>
> return 0;
>
> free_out:
> free(bb);
> return ret;
>
> ===== end =====
>
> if something in the latter part of that code fails and control jumps
> to the label "free_out", won't this code fail to free() the memory
> allocated in the two asprintf() calls? isn't the programmer
> explicitly required to free memory allocated with asprintf() or
> vasprintf() calls?
Yes, indeed, that's a memory hole here. The following should fix this.
Thanks for noting.
Sascha
From 4e4b03cd61808383a98cb1d10a47025e1909e0bd Mon Sep 17 00:00:00 2001
From: Sascha Hauer <s.hauer@pengutronix.de>
Date: Mon, 21 Dec 2009 09:41:52 +0100
Subject: [PATCH] commands/nand.c: Fix memory hole
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
commands/nand.c | 22 +++++++++++++++++-----
1 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/commands/nand.c b/commands/nand.c
index cbf1058..55b89af 100644
--- a/commands/nand.c
+++ b/commands/nand.c
@@ -224,31 +224,37 @@ static struct file_operations nand_bb_ops = {
int dev_add_bb_dev(char *path, const char *name)
{
struct nand_bb *bb;
- int ret;
+ int ret = -ENOMEM;
struct stat s;
bb = xzalloc(sizeof(*bb));
bb->devname = asprintf("/dev/%s", basename(path));
+ if (!bb->devname)
+ goto out1;
+
if (name)
bb->cdev.name = strdup(name);
else
bb->cdev.name = asprintf("%s.bb", basename(path));
+ if (!bb->cdev.name)
+ goto out2;
+
ret = stat(bb->devname, &s);
if (ret)
- goto free_out;
+ goto out3;
bb->raw_size = s.st_size;
bb->fd = open(bb->devname, O_RDWR);
if (bb->fd < 0) {
ret = -ENODEV;
- goto free_out;
+ goto out3;
}
ret = ioctl(bb->fd, MEMGETINFO, &bb->info);
if (ret)
- goto free_out;
+ goto out4;
nand_bb_calc_size(bb);
bb->cdev.ops = &nand_bb_ops;
@@ -258,7 +264,13 @@ int dev_add_bb_dev(char *path, const char *name)
return 0;
-free_out:
+out4:
+ close(bb->fd);
+out3:
+ free(bb->cdev.name);
+out2:
+ free(bb->devname);
+out1:
free(bb);
return ret;
}
--
1.6.5.2
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: possible memory leak in commands/nand.c?
2009-12-21 8:45 ` Sascha Hauer
@ 2009-12-21 9:17 ` Robert P. J. Day
2009-12-21 10:16 ` Sascha Hauer
0 siblings, 1 reply; 4+ messages in thread
From: Robert P. J. Day @ 2009-12-21 9:17 UTC (permalink / raw)
To: Sascha Hauer; +Cc: U-Boot Version 2 (barebox)
On Mon, 21 Dec 2009, Sascha Hauer wrote:
... snip ...
> Yes, indeed, that's a memory hole here. The following should fix
> this. Thanks for noting.
>
> Sascha
>
>
> >From 4e4b03cd61808383a98cb1d10a47025e1909e0bd Mon Sep 17 00:00:00 2001
> From: Sascha Hauer <s.hauer@pengutronix.de>
> Date: Mon, 21 Dec 2009 09:41:52 +0100
> Subject: [PATCH] commands/nand.c: Fix memory hole
>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
> commands/nand.c | 22 +++++++++++++++++-----
> 1 files changed, 17 insertions(+), 5 deletions(-)
>
> diff --git a/commands/nand.c b/commands/nand.c
> index cbf1058..55b89af 100644
> --- a/commands/nand.c
> +++ b/commands/nand.c
> @@ -224,31 +224,37 @@ static struct file_operations nand_bb_ops = {
> int dev_add_bb_dev(char *path, const char *name)
> {
> struct nand_bb *bb;
> - int ret;
> + int ret = -ENOMEM;
> struct stat s;
>
> bb = xzalloc(sizeof(*bb));
> bb->devname = asprintf("/dev/%s", basename(path));
> + if (!bb->devname)
> + goto out1;
> +
> if (name)
> bb->cdev.name = strdup(name);
> else
> bb->cdev.name = asprintf("%s.bb", basename(path));
>
> + if (!bb->cdev.name)
> + goto out2;
> +
> ret = stat(bb->devname, &s);
> if (ret)
> - goto free_out;
> + goto out3;
>
> bb->raw_size = s.st_size;
>
> bb->fd = open(bb->devname, O_RDWR);
> if (bb->fd < 0) {
> ret = -ENODEV;
> - goto free_out;
> + goto out3;
> }
>
> ret = ioctl(bb->fd, MEMGETINFO, &bb->info);
> if (ret)
> - goto free_out;
> + goto out4;
>
> nand_bb_calc_size(bb);
> bb->cdev.ops = &nand_bb_ops;
> @@ -258,7 +264,13 @@ int dev_add_bb_dev(char *path, const char *name)
>
> return 0;
>
> -free_out:
> +out4:
> + close(bb->fd);
> +out3:
> + free(bb->cdev.name);
> +out2:
> + free(bb->devname);
> +out1:
> free(bb);
> return ret;
> }
i'm not sure this required distinguishing between every one of those
cases since the initial space was allocated with xzalloc(),
guaranteeing it would be zero-filled, and freeing a NULL pointer is
supposed to be a no-op.
so it would have been simpler to just
free(bb->devname); # might be NULL, no problem
free(bb->cdev.name); # same here
free(bb);
but, yes, the above will work.
there's another memory leak i've found, i'll submit a patch for it,
for no other reason than i feel like getting a few patches with my
name on it into the barebox git log. :-)
rday
--
========================================================================
Robert P. J. Day Waterloo, Ontario, CANADA
Linux Consulting, Training and Kernel Pedantry.
Web page: http://crashcourse.ca
Twitter: http://twitter.com/rpjday
========================================================================
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: possible memory leak in commands/nand.c?
2009-12-21 9:17 ` Robert P. J. Day
@ 2009-12-21 10:16 ` Sascha Hauer
0 siblings, 0 replies; 4+ messages in thread
From: Sascha Hauer @ 2009-12-21 10:16 UTC (permalink / raw)
To: Robert P. J. Day; +Cc: U-Boot Version 2 (barebox)
On Mon, Dec 21, 2009 at 04:17:29AM -0500, Robert P. J. Day wrote:
> On Mon, 21 Dec 2009, Sascha Hauer wrote:
>
> ... snip ...
>
> > Yes, indeed, that's a memory hole here. The following should fix
> > this. Thanks for noting.
> >
> > Sascha
> >
> >
> > >From 4e4b03cd61808383a98cb1d10a47025e1909e0bd Mon Sep 17 00:00:00 2001
> > From: Sascha Hauer <s.hauer@pengutronix.de>
> > Date: Mon, 21 Dec 2009 09:41:52 +0100
> > Subject: [PATCH] commands/nand.c: Fix memory hole
> >
> > Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> > ---
> > commands/nand.c | 22 +++++++++++++++++-----
> > 1 files changed, 17 insertions(+), 5 deletions(-)
> >
> > diff --git a/commands/nand.c b/commands/nand.c
> > index cbf1058..55b89af 100644
> > --- a/commands/nand.c
> > +++ b/commands/nand.c
> > @@ -224,31 +224,37 @@ static struct file_operations nand_bb_ops = {
> > int dev_add_bb_dev(char *path, const char *name)
> > {
> > struct nand_bb *bb;
> > - int ret;
> > + int ret = -ENOMEM;
> > struct stat s;
> >
> > bb = xzalloc(sizeof(*bb));
> > bb->devname = asprintf("/dev/%s", basename(path));
> > + if (!bb->devname)
> > + goto out1;
> > +
> > if (name)
> > bb->cdev.name = strdup(name);
> > else
> > bb->cdev.name = asprintf("%s.bb", basename(path));
> >
> > + if (!bb->cdev.name)
> > + goto out2;
> > +
> > ret = stat(bb->devname, &s);
> > if (ret)
> > - goto free_out;
> > + goto out3;
> >
> > bb->raw_size = s.st_size;
> >
> > bb->fd = open(bb->devname, O_RDWR);
> > if (bb->fd < 0) {
> > ret = -ENODEV;
> > - goto free_out;
> > + goto out3;
> > }
> >
> > ret = ioctl(bb->fd, MEMGETINFO, &bb->info);
> > if (ret)
> > - goto free_out;
> > + goto out4;
> >
> > nand_bb_calc_size(bb);
> > bb->cdev.ops = &nand_bb_ops;
> > @@ -258,7 +264,13 @@ int dev_add_bb_dev(char *path, const char *name)
> >
> > return 0;
> >
> > -free_out:
> > +out4:
> > + close(bb->fd);
> > +out3:
> > + free(bb->cdev.name);
> > +out2:
> > + free(bb->devname);
> > +out1:
> > free(bb);
> > return ret;
> > }
>
> i'm not sure this required distinguishing between every one of those
> cases since the initial space was allocated with xzalloc(),
> guaranteeing it would be zero-filled, and freeing a NULL pointer is
> supposed to be a no-op.
>
> so it would have been simpler to just
>
> free(bb->devname); # might be NULL, no problem
> free(bb->cdev.name); # same here
> free(bb);
Yes, you're right. OTOH we probably do not save anything by removing
the different jump labels.
Sascha
>
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-12-21 10:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-12-20 19:33 possible memory leak in commands/nand.c? Robert P. J. Day
2009-12-21 8:45 ` Sascha Hauer
2009-12-21 9:17 ` Robert P. J. Day
2009-12-21 10:16 ` Sascha Hauer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox