[Bug 295488] syslogd: memory leak in casper_ttymsg() via nvlist_take_string_array

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295488

            Bug ID: 295488
           Summary: syslogd: memory leak in casper_ttymsg() via
                    nvlist_take_string_array
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: pat@patmaddox.com

Created attachment 271006
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=271006&action=edit
reproducer script

`casper_ttymsg()` in `usr.sbin/syslogd/syslogd_cap_log.c` leaks the string
array returned by `nvlist_take_string_array()`. The function takes ownership of
both the array pointer and the individual strings, but only frees the `iov`
wrapper. The strings and array itself are never freed.

This leaks memory on every F_CONSOLE and F_TTY log message (e.g. anything
matching `*.err` routed to `/dev/console` in the default syslog.conf). On
long-running systems, the `syslogd.casper` child process grows to hundreds of
MB.

The sibling function `casper_wallmsg()` in the same file handles cleanup
correctly and can serve as a reference for the fix.

---

Here are the results of the reproducer script:

root@devbsd:~/lab/default.jj/oss/freebsd-src/default.jj/usr.sbin/syslogd #
../../../prs/freebsd-mem-leak/leak-test.sh
syslogd not running? (check /var/run/syslog.pid).
--- 150000 user.info messages to /tmp/leak-test.log ---
casper RSS (KB):
2676 syslogd: syslogd.casper (syslogd)

--- 150000 user.err messages to /dev/console ---
casper RSS (KB):
31336 syslogd: syslogd.casper (syslogd)

Starting syslogd.

-- 
You are receiving this mail because:
You are the assignee for the bug.