YMMC 2 memory checks

andreas moroder claudiamoroder at st-ulrich.suedtirol.net
Fri Aug 17 19:08:04 GMT 2001 

Hello,

I found few other mallocs without check or with checks that seem a little bit 
unclear to me.


locking/locking.c

	in BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type)

	at line 513   data  is used without a check

	p = (char *)malloc(size);
	data = (struct locking_data *)p;
	data->num_share_mode_entries = 1;

	at line 530 the memory pointed by p is cleared without a check

	p = malloc(size);
	memcpy(p, dbuf.dptr, sizeof(*data));

pam_smbpass/pam_smb_auth.c

	in int pam_sm_authenticate(pam_handle_t *pamh, int flags,                   
	
	at line 83
	
             ret_data = malloc(sizeof(int));   is allocated, never checked, 
freed or even used.


passdb/tdbpass.c

	at line 238
	 tdb_entry = malloc (data.dsize);      tdb_entry is allocated, and used 
without a check  
	data.dptr = tdb_entry;
	memset (data.dptr, 0, data.dsize);


printing/nt_printing.c

             at the lines 1492 and 1909 i found the following alloc without 
check

	if (len != buflen) {
		buf = (char *)Realloc(buf, len);
		buflen = len;
		goto again;
	}

	I'm not sure if this is really a error, because a dozen of lines before of 
this, buf is set to NULL and used as parameter to tdb_pack even if it should 
be a pointer to real memory.


rpcparse/parse_lsa.c

	at line 906 the text of the DEBUG statement is wrong ( probably a cut and 
paste without changes )

void init_q_lookup_sids(TALLOC_CTX *mem_ctx, LSA_Q_LOOKUP_SIDS *q_l,
			POLICY_HND *hnd, int num_sids, DOM_SID *sids,
			uint16 level)
{
	DEBUG(5, ("init_r_enum_trust_dom\n"));		<<<<<<<<<<<<<<<<<<


	at line 548 and later there are three mallocs. There is a check after every 
malloc, but if the first one ore two malloc  are ok and the next fails, the 
memory allocated before is not released. May be it is released later, but 
it's worth to check.
	The same situation is at line 596

		if (!(r_e->hdr_domain_name = (UNIHDR2 *)
		      malloc(sizeof(UNIHDR2)))) return;

		if (!(r_e->uni_domain_name = (UNISTR2 *)
		      malloc(sizeof(UNISTR2)))) return;

		if (!(r_e->domain_sid = (DOM_SID2 *)
		      malloc(sizeof(DOM_SID2)))) return;



smbd/lanman.c

	at line 930 and other places around this file i found the following code

	desc.buflen = getlen(desc.format);
	desc.base = tmpdata = (char *) malloc (desc.buflen);
  }

  if (init_package(&desc,1,count)) {
	  desc.subcount = count;

	there is no check after malloc in this function. init_package DOES check the 
pointer and returns FALSE. There is no error in this code, but it is all but 
readable this way.

Bye

Andreas Moroder

More information about the samba-technical mailing list