YMMC 2 memory checks
andreas moroder
claudiamoroder at st-ulrich.suedtirol.net
Fri Aug 17 19:08:04 GMT 2001
Hello,
I found few other mallocs without check or with checks that seem a little bit
unclear to me.
locking/locking.c
in BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type)
at line 513 data is used without a check
p = (char *)malloc(size);
data = (struct locking_data *)p;
data->num_share_mode_entries = 1;
at line 530 the memory pointed by p is cleared without a check
p = malloc(size);
memcpy(p, dbuf.dptr, sizeof(*data));
pam_smbpass/pam_smb_auth.c
in int pam_sm_authenticate(pam_handle_t *pamh, int flags,
at line 83
ret_data = malloc(sizeof(int)); is allocated, never checked,
freed or even used.
passdb/tdbpass.c
at line 238
tdb_entry = malloc (data.dsize); tdb_entry is allocated, and used
without a check
data.dptr = tdb_entry;
memset (data.dptr, 0, data.dsize);
printing/nt_printing.c
at the lines 1492 and 1909 i found the following alloc without
check
if (len != buflen) {
buf = (char *)Realloc(buf, len);
buflen = len;
goto again;
}
I'm not sure if this is really a error, because a dozen of lines before of
this, buf is set to NULL and used as parameter to tdb_pack even if it should
be a pointer to real memory.
rpcparse/parse_lsa.c
at line 906 the text of the DEBUG statement is wrong ( probably a cut and
paste without changes )
void init_q_lookup_sids(TALLOC_CTX *mem_ctx, LSA_Q_LOOKUP_SIDS *q_l,
POLICY_HND *hnd, int num_sids, DOM_SID *sids,
uint16 level)
{
DEBUG(5, ("init_r_enum_trust_dom\n")); <<<<<<<<<<<<<<<<<<
at line 548 and later there are three mallocs. There is a check after every
malloc, but if the first one ore two malloc are ok and the next fails, the
memory allocated before is not released. May be it is released later, but
it's worth to check.
The same situation is at line 596
if (!(r_e->hdr_domain_name = (UNIHDR2 *)
malloc(sizeof(UNIHDR2)))) return;
if (!(r_e->uni_domain_name = (UNISTR2 *)
malloc(sizeof(UNISTR2)))) return;
if (!(r_e->domain_sid = (DOM_SID2 *)
malloc(sizeof(DOM_SID2)))) return;
smbd/lanman.c
at line 930 and other places around this file i found the following code
desc.buflen = getlen(desc.format);
desc.base = tmpdata = (char *) malloc (desc.buflen);
}
if (init_package(&desc,1,count)) {
desc.subcount = count;
there is no check after malloc in this function. init_package DOES check the
pointer and returns FALSE. There is no error in this code, but it is all but
readable this way.
Bye
Andreas Moroder
More information about the samba-technical
mailing list