[Bug 217125] lib/libc/gen/fts.c resource leak in fts_build()

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217125

            Bug ID: 217125
           Summary: lib/libc/gen/fts.c resource leak in fts_build()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: dan.krejsa at gmail.com

This issue was initially found using Coverity on a port to another OS of (a
slightly older version of) the FreeBSD version of fts.c.  It was not actually
observed in a running system.

To the best of my understanding, it still applies to the latest (Revision
300341) version that I could find of lib/libc/gen/fts.c.

Caveats: I am not personally a FreeBSD user, nor am not very familiar with
fts.c.
My intentions are good, please forgive me if I'm mistaken.

The problem occurs with this code in fts_build():

849         if (descend && (type == BCHILD || !nitems) &&
850                 (cur->fts_level == FTS_ROOTLEVEL ?
851                 FCHDIR(sp, sp->fts_rfd) :
852                 fts_safe_changedir(sp, cur->fts_parent, -1, ".."))) {
853                     cur->fts_info = FTS_ERR;
854                     SET(FTS_STOP);
855                     return (NULL);
856             }

If the function returns at line 855, any memory allocated in the list of FTSENT
structures headed by 'head' would be leaked.  As far as I can tell, it would be
possible (although probably uncommon, due to the presumed failure of the chdir
operation) to get into this code path with a non-empty list (type == BCHILD &&
nitems != 0).

Probably there should be an fts_lfree(head); call in there.

-- 
You are receiving this mail because:
You are the assignee for the bug.