Date: Sun, 16 Oct 2011 18:57:18 +0200 From: Christian Brueffer <brueffer@FreeBSD.org> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r226398 - head/sys/dev/iicbus Message-ID: <4E9B0CEE.7000809@FreeBSD.org> In-Reply-To: <20111016154611.GA1832@garage.freebsd.pl> References: <201110151557.p9FFvuuc020536@svn.freebsd.org> <20111016154611.GA1832@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------040404080201060701070605 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 10/16/11 17:46 , Pawel Jakub Dawidek wrote: > On Sat, Oct 15, 2011 at 03:57:56PM +0000, Christian Brueffer wrote: >> Author: brueffer >> Date: Sat Oct 15 15:57:55 2011 >> New Revision: 226398 >> URL: http://svn.freebsd.org/changeset/base/226398 >> >> Log: >> Properly free resources in an error case. >> >> CID: 4203 >> Found with: Coverity Prevent(tm) >> MFC after: 1 week >> >> Modified: >> head/sys/dev/iicbus/iic.c >> >> Modified: head/sys/dev/iicbus/iic.c >> ============================================================================== >> --- head/sys/dev/iicbus/iic.c Sat Oct 15 15:21:33 2011 (r226397) >> +++ head/sys/dev/iicbus/iic.c Sat Oct 15 15:57:55 2011 (r226398) >> @@ -348,8 +348,10 @@ iicioctl(struct cdev *dev, u_long cmd, c >> buf = malloc(sizeof(*d->msgs) * d->nmsgs, M_TEMP, M_WAITOK); >> usrbufs = malloc(sizeof(void *) * d->nmsgs, M_TEMP, M_ZERO | M_WAITOK); >> error = copyin(d->msgs, buf, sizeof(*d->msgs) * d->nmsgs); >> - if (error) >> + if (error) { >> + free(usrbufs, M_TEMP); >> break; >> + } > > I think that better fix is to move usrbufs allocation after copyin(), as > usrbufs is not used there. > Agreed, how about the attached patch? --------------040404080201060701070605 Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0"; name="iic.c.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="iic.c.diff" Index: iic.c =================================================================== --- iic.c (revision 226398) +++ iic.c (working copy) @@ -346,13 +346,11 @@ case I2CRDWR: buf = malloc(sizeof(*d->msgs) * d->nmsgs, M_TEMP, M_WAITOK); - usrbufs = malloc(sizeof(void *) * d->nmsgs, M_TEMP, M_ZERO | M_WAITOK); error = copyin(d->msgs, buf, sizeof(*d->msgs) * d->nmsgs); - if (error) { - free(usrbufs, M_TEMP); + if (error) break; - } /* Alloc kernel buffers for userland data, copyin write data */ + usrbufs = malloc(sizeof(void *) * d->nmsgs, M_TEMP, M_ZERO | M_WAITOK); for (i = 0; i < d->nmsgs; i++) { m = &((struct iic_msg *)buf)[i]; usrbufs[i] = m->buf; --------------040404080201060701070605--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E9B0CEE.7000809>