misc/144974: [ping6] malloc()s not free()'d
Earl R. Lapus
earl.lapus at gmail.com
Tue Mar 23 12:20:02 UTC 2010
>Number: 144974
>Category: misc
>Synopsis: [ping6] malloc()s not free()'d
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 23 12:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Earl R. Lapus
>Release: FreeBSD 8.0
>Organization:
>Environment:
FreeBSD syutsyut.cebu.infoweapons.com 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Tue Dec 15 12:44:45 PHT 2009 root at syutsyut.cebu.infoweapons.com:/usr/obj/usr/src/
sys/SYUTSYUT i386
>Description:
Some portions of the code allocates memory via malloc() but aren't free()'d when the ping6 exits. The attached patch attempts to fix the problem but may not be correct -- needs review.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
diff -ruN ../src/sbin/ping6/ping6.c ../src.mod/sbin/ping6/ping6.c
--- ../src/sbin/ping6/ping6.c 2009-10-25 09:10:29.000000000 +0800
+++ ../src.mod/sbin/ping6/ping6.c 2010-03-23 18:32:58.000000000 +0800
@@ -224,6 +224,13 @@
u_int8_t nonce[8]; /* nonce field for node information */
int hoplimit = -1; /* hoplimit */
int pathmtu = 0; /* path MTU for the destination. 0 = unspec. */
+u_char *packet = NULL;
+#ifdef HAVE_POLL_H
+struct pollfd fdmaskp[1];
+#else
+fd_set *fdmaskp = NULL;
+int fdmasks;
+#endif
/* counters */
long nmissedmax; /* max value of ntransmitted - nreceived - 1 */
@@ -301,19 +308,13 @@
struct timeval timeout, *tv;
#endif
struct addrinfo hints;
-#ifdef HAVE_POLL_H
- struct pollfd fdmaskp[1];
-#else
- fd_set *fdmaskp;
- int fdmasks;
-#endif
int cc, i;
int ch, hold, packlen, preload, optval, ret_ga;
- u_char *datap, *packet;
+ u_char *datap;
char *e, *target, *ifname = NULL, *gateway = NULL;
int ip6optlen = 0;
struct cmsghdr *scmsgp = NULL;
- struct cmsghdr *cm;
+ struct cmsghdr cm[CONTROLLEN];
#if defined(SO_SNDBUF) && defined(SO_RCVBUF)
u_long lsockbufsize;
int sockbufsize = 0;
@@ -1073,11 +1074,6 @@
seeninfo = 0;
#endif
- /* For control (ancillary) data received from recvmsg() */
- cm = (struct cmsghdr *)malloc(CONTROLLEN);
- if (cm == NULL)
- err(1, "malloc");
-
for (;;) {
struct msghdr m;
struct iovec iov[2];
@@ -1149,8 +1145,8 @@
iov[0].iov_len = packlen;
m.msg_iov = iov;
m.msg_iovlen = 1;
- memset(cm, 0, CONTROLLEN);
- m.msg_control = (void *)cm;
+ memset(&cm, 0, CONTROLLEN);
+ m.msg_control = (void *)&cm;
m.msg_controllen = CONTROLLEN;
cc = recvmsg(s, &m, 0);
@@ -1191,6 +1187,15 @@
}
}
summary();
+
+ if(packet != NULL)
+ free(packet);
+
+#ifndef HAVE_POLL_H
+ if(fdmaskp != NULL)
+ free(fdmaskp);
+#endif
+
exit(nreceived == 0 ? 2 : 0);
}
@@ -2247,6 +2252,14 @@
{
summary();
+ if(packet != NULL)
+ free(packet);
+
+#ifndef HAVE_POLL_H
+ if(fdmaskp != NULL)
+ free(fdmaskp);
+#endif
+
(void)signal(SIGINT, SIG_DFL);
(void)kill(getpid(), SIGINT);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list