From 4fdc960c33724f859be74a630e0d668a74f6637d Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Mon, 8 Jun 2015 23:20:06 -0700 Subject: Fix memory leaks when not using alloca Reported by Oracle Parfait 1.5.1: Error: Memory leak (CWE 401) Memory leak of pointer client_auth allocated with FSalloc((prefix->num_auths * 24)) at line 256 of difs/dispatch.c in function 'ProcEstablishConnection'. client_auth allocated at line 243 with FSalloc((prefix->num_auths * 24)). client_auth leaks when (((Atom)ad) - ((Atom)(prefix + 8))) > ((stuff->length << 2) - 4) at line 252. malloc called at line 372 of os/utils.c in function 'FSalloc' at line 276 of difs/dispatch.c in function 'ProcEstablishConnection'. client_auth allocated at line 243 with FSalloc((prefix->num_auths * 24)). client_auth leaks when (i + 1) >= ((fsConnClientPrefix*)client->requestBuffer)[1].num_auths at line 251. malloc called at line 372 of os/utils.c in function 'FSalloc' Error: Memory leak (CWE 401) Memory leak of pointer acp allocated with FSalloc((stuff->num_auths * 24)) at line 604 of difs/dispatch.c in function 'ProcCreateAC'. acp allocated at line 590 with FSalloc((stuff->num_auths * 24)). acp leaks when ((((Atom)ad) - ((Atom)client->requestBuffer)) + 8) > ((stuff->length << 2) - 4) at line 599. malloc called at line 372 of os/utils.c in function 'FSalloc' at line 622 of difs/dispatch.c in function 'ProcCreateAC'. acp allocated at line 590 with FSalloc((stuff->num_auths * 24)). acp leaks when (i + 1) >= ((fsCreateACReq*)client->requestBuffer)->num_auths at line 597. malloc called at line 372 of os/utils.c in function 'FSalloc' Signed-off-by: Alan Coopersmith --- difs/dispatch.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/difs/dispatch.c b/difs/dispatch.c index 36c82ef..60aa841 100644 --- a/difs/dispatch.c +++ b/difs/dispatch.c @@ -253,6 +253,7 @@ ProcEstablishConnection(ClientPtr client) int lengthword = stuff->length; SendErrToClient(client, FSBadLength, (pointer)&lengthword); + DEALLOCATE_LOCAL(client_auth); return (FSBadLength); } /* copy carefully in case wire data is not aligned */ @@ -273,6 +274,7 @@ ProcEstablishConnection(ClientPtr client) int lengthword = stuff->length; SendErrToClient(client, FSBadLength, (pointer)&lengthword); + DEALLOCATE_LOCAL(client_auth); return (FSBadLength); } @@ -292,6 +294,7 @@ ProcEstablishConnection(ClientPtr client) authp = (AuthContextPtr) fsalloc(sizeof(AuthContextRec)); if (!authp) { SendErrToClient(client, FSBadAlloc, (pointer) 0); + DEALLOCATE_LOCAL(client_auth); return FSBadAlloc; } authp->authname = @@ -303,6 +306,7 @@ ProcEstablishConnection(ClientPtr client) fsfree((char *) authp->authdata); fsfree((char *) authp); SendErrToClient(client, FSBadAlloc, (pointer) 0); + DEALLOCATE_LOCAL(client_auth); return FSBadAlloc; } memmove( authp->authname, client_auth[auth_index - 1].name, @@ -318,6 +322,7 @@ ProcEstablishConnection(ClientPtr client) fsfree((char *) authp->authdata); fsfree((char *) authp); SendErrToClient(client, FSBadAlloc, (pointer) 0); + DEALLOCATE_LOCAL(client_auth); return FSBadAlloc; } client->auth = client->default_auth = authp; @@ -601,6 +606,7 @@ ProcCreateAC(ClientPtr client) int lengthword = stuff->length; SendErrToClient(client, FSBadLength, (pointer)&lengthword); + DEALLOCATE_LOCAL(acp); return (FSBadLength); } /* copy carefully in case data is not aligned */ @@ -619,6 +625,8 @@ ProcCreateAC(ClientPtr client) int lengthword = stuff->length; SendErrToClient(client, FSBadLength, (pointer)&lengthword); + if (acp) + DEALLOCATE_LOCAL(acp); return (FSBadLength); } -- cgit v1.2.3