svn commit: samba r13978 - in branches/SAMBA_3_0/source/registry: .

Tue Mar 7 19:19:00 GMT 2006

Author: jra
Date: 2006-03-07 19:18:56 +0000 (Tue, 07 Mar 2006)
New Revision: 13978

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13978

Log:
Here is why it's essential to use SAFE_FREE instead of free.
If we use free(data.dptr) and then the subsequent tdb_open
fails in _reg_perfcount_get_counter_data() then data.dptr
is left as a non-zero pointer that has been freed. This would
cause it to be reused later on. Coverity bug #162.
Jeremy.

Modified:
   branches/SAMBA_3_0/source/registry/reg_perfcount.c


Changeset:
Modified: branches/SAMBA_3_0/source/registry/reg_perfcount.c
===================================================================

--- branches/SAMBA_3_0/source/registry/reg_perfcount.c	2006-03-07 19:18:47 UTC (rev 13977)
+++ branches/SAMBA_3_0/source/registry/reg_perfcount.c	2006-03-07 19:18:56 UTC (rev 13978)
@@ -499,7 +499,7 @@
 	obj->counters[obj->NumCounters].CounterType = atoi(buf);
 	DEBUG(10, ("_reg_perfcount_get_counter_info: Got type [%d] for counter [%d].\n",
 		   obj->counters[obj->NumCounters].CounterType, CounterIndex));
-	free(data.dptr);
+	SAFE_FREE(data.dptr);
 
 	/* Fetch the actual data */
 	_reg_perfcount_make_key(&key, buf, PERFCOUNT_MAX_LEN, CounterIndex, "");
@@ -544,7 +544,7 @@
 		memset(buf, 0, PERFCOUNT_MAX_LEN);
 		memcpy(buf, data.dptr, data.dsize);
 	}
-	free(data.dptr);
+	SAFE_FREE(data.dptr);
 
 	obj->counter_data.ByteLength += dsize + padding;
 	obj->counter_data.data = TALLOC_REALLOC_ARRAY(ps->mem_ctx,
@@ -694,7 +694,7 @@
 		return False;
 	memset(inst->counter_data.data, 0, data.dsize);
 	memcpy(inst->counter_data.data, data.dptr, data.dsize);
-	free(data.dptr);
+	SAFE_FREE(data.dptr);
 
 	/* Fetch instance name */
 	memset(temp, 0, PERFCOUNT_MAX_LEN);
@@ -719,7 +719,7 @@
 						  uint8,
 						  inst->NameLength);
 		memcpy(inst->data, name, inst->NameLength);
-		free(data.dptr);
+		SAFE_FREE(data.dptr);
 	}
 
 	inst->ParentObjectTitleIndex = 0;
@@ -807,7 +807,7 @@
 				DEBUG(3, ("_reg_perfcount_assemble_global: Failed to add new relationship for counter [%d].\n", j));
 				retval = -1;
 			}
-			free(data.dptr);
+			SAFE_FREE(data.dptr);
 		}
 		else
 			DEBUG(3, ("NULL relationship for counter [%d] using key [%s].\n", j, keybuf));
@@ -837,7 +837,7 @@
 
 	memset(buf, 0, PERFCOUNT_MAX_LEN);
 	memcpy(buf, data.dptr, data.dsize);
-	free(data.dptr);
+	SAFE_FREE(data.dptr);
 
 	*retval = atof(buf);
 

