From owner-freebsd-stable Wed Sep 25 19: 2: 1 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47FE237B401 for ; Wed, 25 Sep 2002 19:02:00 -0700 (PDT) Received: from smtp01.iprimus.net.au (smtp01.iprimus.net.au [210.50.30.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id CEF9E43E6E for ; Wed, 25 Sep 2002 19:01:58 -0700 (PDT) (envelope-from tim@robbins.dropbear.id.au) Received: from dilbert.robbins.dropbear.id.au ([210.50.219.246]) by smtp01.iprimus.net.au with Microsoft SMTPSVC(5.0.2195.4617); Thu, 26 Sep 2002 12:01:52 +1000 Received: from dilbert.robbins.dropbear.id.au (ruuji8ho0vgo5zyh@localhost [127.0.0.1]) by dilbert.robbins.dropbear.id.au (8.12.6/8.12.6) with ESMTP id g8Q21nqi084785; Thu, 26 Sep 2002 12:01:49 +1000 (EST) (envelope-from tim@dilbert.robbins.dropbear.id.au) Received: (from tim@localhost) by dilbert.robbins.dropbear.id.au (8.12.6/8.12.6/Submit) id g8Q21lEB084784; Thu, 26 Sep 2002 12:01:47 +1000 (EST) (envelope-from tim) Date: Thu, 26 Sep 2002 12:01:47 +1000 From: Tim Robbins To: Barney Wolff Cc: David Schultz , Peter Jeremy , stable@FreeBSD.org Subject: Re: [v]asprintf leaks memory Message-ID: <20020926120147.A84266@dilbert.robbins.dropbear.id.au> References: <20020925133219.GA59210@HAL9000.homeunix.com> <20020925214322.GL495@gsmx07.alcatel.com.au> <20020925230236.GA60375@HAL9000.homeunix.com> <20020925231441.GA8968@tp.databus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020925231441.GA8968@tp.databus.com>; from barney@tp.databus.com on Wed, Sep 25, 2002 at 07:14:41PM -0400 X-OriginalArrivalTime: 26 Sep 2002 02:01:53.0604 (UTC) FILETIME=[AF58E840:01C26500] Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Sep 25, 2002 at 07:14:41PM -0400, Barney Wolff wrote: > On Wed, Sep 25, 2002 at 04:02:37PM -0700, David Schultz wrote: > > > > I don't really care one way or the other, but regardless of what > > the manpage says, reallocf()'s semantics should probably match the > > way it's already used. Maybe what I found was an isolated bug and > > reallocf() DTRT already. In that case, the patch I posted should > > probably be applied. > > Could you please explain exactly how the original code leaks memory? > Maybe I'm being dense today but I just don't see it. If reallocf > returns NULL the original buffer has been freed. The asprintf() function works by allocating a relatively small (128 byte) buffer for the data, then it calls __svfprintf() which calls __sfvwrite() to write the data to the "file" (which is really a string). If __sfvwrite() can't get enough memory for a bigger buffer, it sets fp->_bf._base to NULL but does not change fp->_bf._size. When control returns to asprintf(), it realloc()'s _bf._base to be _bf._size + 1 byte long. Because _bf._base is already NULL, the call which was designed to shrink the buffer actually allocates a new one (!) and returns the freshly allocated storage back to the caller (!). I'll apply David's patch... Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message