Re: [PATCH] iw: Memory leak in error condition

Julian Calaby <julian.calaby@xxxxxxxxx> · Thu, 1 Oct 2015 09:34:00 +1000

Hi Ola,

On Thu, Oct 1, 2015 at 9:27 AM, Ola Olsson <ola1olsson@xxxxxxxxx> wrote:
> Oh yes! :)
> Suddenly valgrind was happy as well.
>
> From 2724dd259f2bf61a2b7c85a70a70fd640a583453 Mon Sep 17 00:00:00 2001
> From: Ola Olsson <ola.olsson@xxxxxxxxxxxxxx>
> Date: Thu, 1 Oct 2015 00:43:06 +0200
> Subject: [PATCH] iw: Memory leak in error condition Signed-off-by: Ola Olsson
>  <ola.olsson@xxxxxxxxxxxxxx>
>
> ---
>  scan.c |    5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/scan.c b/scan.c
> index e959c1b..f3441a7 100644
> --- a/scan.c
> +++ b/scan.c
> @@ -445,8 +445,11 @@ static int handle_scan(struct nl80211_state *state,
>
>         if (ies || meshid) {
>                 tmpies = (unsigned char *) malloc(ies_len + meshid_len);
> -               if (!tmpies)
> +               if (!tmpies) {
> +                       free(ies);
> +                       free(meshid);
>                         goto nla_put_failure;
> +               }
>                 if (ies) {

free() doesn't set it to "null" or anything like that, so isn't the
line above a use-after-free?

>                         memcpy(tmpies, ies, ies_len);
>                         free(ies);
> --
> 1.7.9.5
>
> On Thu, Oct 1, 2015 at 1:16 AM, James Cameron <quozl@xxxxxxxxxx> wrote:
>> On Thu, Oct 01, 2015 at 01:01:18AM +0200, Ola Olsson wrote:
>>> >From 5239e8e9aa79a131b716398efbf7a1203decbd9b Mon Sep 17 00:00:00 2001
>>> From: Ola Olsson <ola.olsson@xxxxxxxxxxxxxx>
>>> Date: Thu, 1 Oct 2015 00:43:06 +0200
>>> Subject: [PATCH] iw: Memory leak in error condition Signed-off-by: Ola
>>>  Olsson <ola.olsson@xxxxxxxxxxxxxx>
>>>
>>> ---
>>>  scan.c |    2 ++
>>>  1 file changed, 2 insertions(+)
>>>
>>> diff --git a/scan.c b/scan.c
>>> index e959c1b..f248981 100644
>>> --- a/scan.c
>>> +++ b/scan.c
>>> @@ -446,6 +446,8 @@ static int handle_scan(struct nl80211_state *state,
>>>         if (ies || meshid) {
>>>                 tmpies = (unsigned char *) malloc(ies_len + meshid_len);
>>>                 if (!tmpies)
>>> +                       free(ies);
>>> +                       free(meshid);
>>>                         goto nla_put_failure;
>>
>> Braces?  { }
>>
>>
>>>                 if (ies) {
>>>                         memcpy(tmpies, ies, ies_len);
>>> --
>>> 1.7.9.5
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
>>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>> --
>> James Cameron
>> http://quozl.linux.org.au/
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Julian Calaby

Email: julian.calaby@xxxxxxxxx
Profile: http://www.google.com/profiles/julian.calaby/
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html