Samba 2.2.0alpha2 snapshot released

Kenichi Okuyama okuyamak at dd.iij4u.or.jp
Tue Jan 30 02:32:49 GMT 2001 

Dear Jeremy,


As I've sent an patch before, there's possibility of memory leak in

./samba/source/smbd/nttrans.c

Since it's still not being fixed with your new release, I'd like to
mention what's wrong, again.




The following is the point where bug exists. It's from Line 1766.


  /* Allocate the space for the setup, the maximum needed parameters and data */

  if(setup_count > 0)
    setup = (char *)malloc(setup_count);
  if (total_parameter_count > 0)
    params = (char *)malloc(total_parameter_count);
  if (total_data_count > 0)
    data = (char *)malloc(total_data_count);
 
  if ((total_parameter_count && !params)  || (total_data_count && !data) ||
      (setup_count && !setup)) {
    DEBUG(0,("reply_nttrans : Out of memory\n"));
    END_PROFILE(SMBnttrans);
    return(ERROR(ERRDOS,ERRnomem));
  }


The problem will occur if, for example "setup_count" and
"total_parameter_count" was non-0, and if "setup" could be malloced,
but failed in allocating "params".

'If statement' should free memory chunk kept as "setup", in order to
keep away from memory leak. But is not doing such a thing in current
code.


To avoid this kind of memory leak, it is not an good idea to check
for allocation failure at one point. You should, instead, check one
by one, like follows:


  if(setup_count > 0) {
    setup = (char *)malloc(setup_count);
    if ( setup == NULL ) {
      DEBUG(0,("reply_nttrans : Out of memory\n"));
      END_PROFILE(SMBnttrans);
      return(ERROR(ERRDOS,ERRnomem));
    }
  }
  if (total_parameter_count > 0) {
    params = (char *)malloc(total_parameter_count);
    if ( params == NULL ) {
      if ( setup ) {
         free( setup );
      }
      DEBUG(0,("reply_nttrans : Out of memory\n"));
      END_PROFILE(SMBnttrans);
      return(ERROR(ERRDOS,ERRnomem));
    }
  }
  if (total_data_count > 0) {
    data = (char *)malloc(total_data_count);
    if ( data == NULL ) {
      if ( setup ) {
         free( setup );
      }
      if ( params == NULL ) {
         free( params );
      }
      DEBUG(0,("reply_nttrans : Out of memory\n"));
      END_PROFILE(SMBnttrans);
      return(ERROR(ERRDOS,ERRnomem));
    }
  }


By the way, this bug exists ever since 2.0.7, and samba-ja group is
now working on "samba-2.0.7-ja-2.2", which this bug is being patched
correctly. So, for very short term of time, if you need 2.0.7
without this bug, please look for "samba-2.0.7-ja-2.2".

best regards,
---- 
Kenichi Okuyama at Tokyo Research Lab. IBM-Japan, Co.

More information about the samba-technical mailing list