Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 01 Mar 2016 20:52:15 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 207626] Memory leak in ctl.c
Message-ID:  <bug-207626-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207626

            Bug ID: 207626
           Summary: Memory leak in ctl.c
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: cturt@hardenedbsd.org

There is a memory leak in `sys/cam/ctl/ctl.c`.

`ctl_copyin_alloc` performs and returns an allocation with `malloc`:

static void *
ctl_copyin_alloc(void *user_addr, int len, char *error_str,
                 size_t error_str_len)
{
        void *kptr;

        kptr =3D malloc(len, M_CTL, M_WAITOK | M_ZERO);

        if (copyin(user_addr, kptr, len) !=3D 0) {
                snprintf(error_str, error_str_len, "Error copying %d bytes "
                         "from user address %p to kernel address %p", len,
                         user_addr, kptr);
                free(kptr, M_CTL);
                return (NULL);
        }

        return (kptr);
}

`ctl_copyin_args` calls this function, but doesn't free the returned alloca=
tion
on the condition that the string is not terminated, before going to `bailou=
t`:

static struct ctl_be_arg *
ctl_copyin_args(int num_args, struct ctl_be_arg *uargs,
                char *error_str, size_t error_str_len)
{
        ...

        uint8_t *tmpptr;

        ...

                if (args[i].flags & CTL_BEARG_RD) {
                        tmpptr =3D ctl_copyin_alloc(args[i].value,
                                args[i].vallen, error_str, error_str_len);
                        if (tmpptr =3D=3D NULL)
                                goto bailout;
                        if ((args[i].flags & CTL_BEARG_ASCII)
                         && (tmpptr[args[i].vallen - 1] !=3D '\0')) {
                                snprintf(error_str, error_str_len, "Argumen=
t "
                                    "%d value is not NUL-terminated", i);
                                goto bailout;
                        }
                        args[i].kvalue =3D tmpptr;
                } else {
                        args[i].kvalue =3D malloc(args[i].vallen,
                            M_CTL, M_WAITOK | M_ZERO);
                }
        }

        return (args);
bailout:

        ctl_free_args(num_args, args);

        return (NULL);
}

Should be:

                                snprintf(error_str, error_str_len, "Argumen=
t "
                                    "%d value is not NUL-terminated", i);
                                free(tmpptr);
                                goto bailout;

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207626-8>