[Bug 207626] Memory leak in ctl.c

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Mar 1 20:52:15 UTC 2016


            Bug ID: 207626
           Summary: Memory leak in ctl.c
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cturt at hardenedbsd.org

There is a memory leak in `sys/cam/ctl/ctl.c`.

`ctl_copyin_alloc` performs and returns an allocation with `malloc`:

static void *
ctl_copyin_alloc(void *user_addr, int len, char *error_str,
                 size_t error_str_len)
        void *kptr;

        kptr = malloc(len, M_CTL, M_WAITOK | M_ZERO);

        if (copyin(user_addr, kptr, len) != 0) {
                snprintf(error_str, error_str_len, "Error copying %d bytes "
                         "from user address %p to kernel address %p", len,
                         user_addr, kptr);
                free(kptr, M_CTL);
                return (NULL);

        return (kptr);

`ctl_copyin_args` calls this function, but doesn't free the returned allocation
on the condition that the string is not terminated, before going to `bailout`:

static struct ctl_be_arg *
ctl_copyin_args(int num_args, struct ctl_be_arg *uargs,
                char *error_str, size_t error_str_len)

        uint8_t *tmpptr;


                if (args[i].flags & CTL_BEARG_RD) {
                        tmpptr = ctl_copyin_alloc(args[i].value,
                                args[i].vallen, error_str, error_str_len);
                        if (tmpptr == NULL)
                                goto bailout;
                        if ((args[i].flags & CTL_BEARG_ASCII)
                         && (tmpptr[args[i].vallen - 1] != '\0')) {
                                snprintf(error_str, error_str_len, "Argument "
                                    "%d value is not NUL-terminated", i);
                                goto bailout;
                        args[i].kvalue = tmpptr;
                } else {
                        args[i].kvalue = malloc(args[i].vallen,
                            M_CTL, M_WAITOK | M_ZERO);

        return (args);

        ctl_free_args(num_args, args);

        return (NULL);

Should be:

                                snprintf(error_str, error_str_len, "Argument "
                                    "%d value is not NUL-terminated", i);
                                goto bailout;

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list