[SCM] Socket Wrapper Repository - branch master updated

Tue Feb 9 17:13:10 UTC 2021

The branch, master has been updated
       via  db594f1 swrap: don't touch msg_tmp in swrap_recvmsg_after_unix() on error
       via  2b8a9e3 swrap: fix possible memory leak between swrap_recvmsg_{before,after}_unix()
      from  3af2bf7 Bump version to 1.3.1

https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit db594f106d9737e0415a268439fc9003bb636473
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Feb 9 16:09:59 2021 +0100

    swrap: don't touch msg_tmp in swrap_recvmsg_after_unix() on error
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 2b8a9e3255f2c9bf440cbae404ca8ac8f3f910f6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Feb 9 15:57:22 2021 +0100

    swrap: fix possible memory leak between swrap_recvmsg_{before,after}_unix()
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 src/socket_wrapper.c | 36 ++++++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/src/socket_wrapper.c b/src/socket_wrapper.c
index ece3493..59fb07d 100644
--- a/src/socket_wrapper.c
+++ b/src/socket_wrapper.c
@@ -5960,7 +5960,8 @@ static ssize_t swrap_sendmsg_after_unix(struct msghdr *msg_tmp,
 }
 
 static int swrap_recvmsg_before_unix(struct msghdr *msg_in,
-				     struct msghdr *msg_tmp)
+				     struct msghdr *msg_tmp,
+				     uint8_t **tmp_control)
 {
 #ifdef HAVE_STRUCT_MSGHDR_MSG_CONTROL
 	const size_t cm_extra_space = CMSG_SPACE(sizeof(int));
@@ -5968,6 +5969,7 @@ static int swrap_recvmsg_before_unix(struct msghdr *msg_in,
 	size_t cm_data_space = 0;
 
 	*msg_tmp = *msg_in;
+	*tmp_control = NULL;
 
 	SWRAP_LOG(SWRAP_LOG_TRACE,
 		  "msg_in->msg_controllen=%zu",
@@ -5995,6 +5997,7 @@ static int swrap_recvmsg_before_unix(struct msghdr *msg_in,
 
 	msg_tmp->msg_controllen = cm_data_space;
 	msg_tmp->msg_control = cm_data;
+	*tmp_control = cm_data;
 
 	SWRAP_LOG(SWRAP_LOG_TRACE,
 		  "msg_tmp->msg_controllen=%zu",
@@ -6002,11 +6005,13 @@ static int swrap_recvmsg_before_unix(struct msghdr *msg_in,
 	return 0;
 #else /* HAVE_STRUCT_MSGHDR_MSG_CONTROL */
 	*msg_tmp = *msg_in;
+	*tmp_control = NULL;
 	return 0;
 #endif /* ! HAVE_STRUCT_MSGHDR_MSG_CONTROL */
 }
 
 static ssize_t swrap_recvmsg_after_unix(struct msghdr *msg_tmp,
+					uint8_t **tmp_control,
 					struct msghdr *msg_out,
 					ssize_t ret)
 {
@@ -6016,13 +6021,26 @@ static ssize_t swrap_recvmsg_after_unix(struct msghdr *msg_tmp,
 	size_t cm_data_space = 0;
 	int rc = -1;
 
+	if (ret < 0) {
+		int saved_errno = errno;
+		SWRAP_LOG(SWRAP_LOG_TRACE, "ret=%zd - %d - %s", ret,
+			  saved_errno, strerror(saved_errno));
+		SAFE_FREE(*tmp_control);
+		/* msg_out should not be touched on error */
+		errno = saved_errno;
+		return ret;
+	}
+
 	SWRAP_LOG(SWRAP_LOG_TRACE,
 		  "msg_tmp->msg_controllen=%zu",
 		  (size_t)msg_tmp->msg_controllen);
 
 	/* Nothing to do */
 	if (msg_tmp->msg_controllen == 0 || msg_tmp->msg_control == NULL) {
+		int saved_errno = errno;
 		*msg_out = *msg_tmp;
+		SAFE_FREE(*tmp_control);
+		errno = saved_errno;
 		return ret;
 	}
 
@@ -6045,16 +6063,17 @@ static ssize_t swrap_recvmsg_after_unix(struct msghdr *msg_tmp,
 		if (rc < 0) {
 			int saved_errno = errno;
 			SAFE_FREE(cm_data);
+			SAFE_FREE(*tmp_control);
 			errno = saved_errno;
 			return rc;
 		}
 	}
 
 	/*
-	 * msg_tmp->msg_control was created by swrap_recvmsg_before_unix()
-	 * and msg_out->msg_control is still the buffer of the caller.
+	 * msg_tmp->msg_control (*tmp_control) was created by
+	 * swrap_recvmsg_before_unix() and msg_out->msg_control
+	 * is still the buffer of the caller.
 	 */
-	SAFE_FREE(msg_tmp->msg_control);
 	msg_tmp->msg_control = msg_out->msg_control;
 	msg_tmp->msg_controllen = msg_out->msg_controllen;
 	*msg_out = *msg_tmp;
@@ -6063,13 +6082,17 @@ static ssize_t swrap_recvmsg_after_unix(struct msghdr *msg_tmp,
 	memcpy(msg_out->msg_control, cm_data, cm_data_space);
 	msg_out->msg_controllen = cm_data_space;
 	SAFE_FREE(cm_data);
+	SAFE_FREE(*tmp_control);
 
 	SWRAP_LOG(SWRAP_LOG_TRACE,
 		  "msg_out->msg_controllen=%zu",
 		  (size_t)msg_out->msg_controllen);
 	return ret;
 #else /* HAVE_STRUCT_MSGHDR_MSG_CONTROL */
+	int saved_errno = errno;
 	*msg_out = *msg_tmp;
+	SAFE_FREE(*tmp_control);
+	errno = saved_errno;
 	return ret;
 #endif /* ! HAVE_STRUCT_MSGHDR_MSG_CONTROL */
 }
@@ -6986,12 +7009,13 @@ static ssize_t swrap_recvmsg(int s, struct msghdr *omsg, int flags)
 
 	si = find_socket_info(s);
 	if (si == NULL) {
-		rc = swrap_recvmsg_before_unix(omsg, &msg);
+		uint8_t *tmp_control = NULL;
+		rc = swrap_recvmsg_before_unix(omsg, &msg, &tmp_control);
 		if (rc < 0) {
 			return rc;
 		}
 		ret = libc_recvmsg(s, &msg, flags);
-		return swrap_recvmsg_after_unix(&msg, omsg, ret);
+		return swrap_recvmsg_after_unix(&msg, &tmp_control, omsg, ret);
 	}
 
 	tmp.iov_base = NULL;


-- 
Socket Wrapper Repository

