[PATCH] Fix several memory and resource leaks
Jeremy Allison
jra at samba.org
Thu Aug 9 18:12:32 UTC 2018
On Thu, Aug 09, 2018 at 04:53:58PM +0200, Andreas Schneider via samba-technical wrote:
> Hi,
>
> please review the attached patch and push if OK.
>
>
> Thanks,
>
>
> Andreas
>
> --
> Andreas Schneider asn at samba.org
> Samba Team www.samba.org
> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> From 569a759a415fd29569b592c4debb90bfa3c894e5 Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Thu, 9 Aug 2018 15:48:48 +0200
> Subject: [PATCH 01/10] libcli: Fix a possible memory leak in
> smb1cli_req_writev_submit()
>
> Found by covscan.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
>
> Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
> Signed-off-by: Andreas Schneider <asn at samba.org>
> Signed-off-by: Justin Stephenson <jstephen at redhat.com>
> ---
> libcli/smb/smbXcli_base.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
> index ad1b67b8476..4023d0c0f13 100644
> --- a/libcli/smb/smbXcli_base.c
> +++ b/libcli/smb/smbXcli_base.c
> @@ -1748,6 +1748,7 @@ static NTSTATUS smb1cli_req_writev_submit(struct tevent_req *req,
> if (!NT_STATUS_IS_OK(status)) {
> DEBUG(0, ("Error in encrypting client message: %s\n",
> nt_errstr(status)));
> + SAFE_FREE(enc_buf);
> return status;
> }
> buf = (char *)talloc_memdup(state, enc_buf,
This also needs enc_buf to be set to NULL in the declaration
in order to be safe (what if common_encrypt_buffer() returns
an error without changing the value of enc_buf, it'll free
whatever random value was left on the stack.
> From 91bfe0c2fef41532ebbd1f0542fc58418a92bc20 Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Thu, 9 Aug 2018 15:58:32 +0200
> Subject: [PATCH 03/10] s3:client: Avoid a possible fd leak in do_get()
>
> Found by covscan.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
>
> Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
> Signed-off-by: Andreas Schneider <asn at samba.org>
> Signed-off-by: Justin Stephenson <jstephen at redhat.com>
> ---
> source3/client/client.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/source3/client/client.c b/source3/client/client.c
> index f112b8c4ac1..c1e55739b8d 100644
> --- a/source3/client/client.c
> +++ b/source3/client/client.c
> @@ -1160,6 +1160,7 @@ static int do_get(const char *rname, const char *lname_in, bool reget)
> start = lseek(handle, 0, SEEK_END);
> if (start == -1) {
> d_printf("Error seeking local file\n");
> + close(handle);
> return 1;
> }
> }
> @@ -1181,6 +1182,9 @@ static int do_get(const char *rname, const char *lname_in, bool reget)
> NULL);
> if(!NT_STATUS_IS_OK(status)) {
> d_printf("getattrib: %s\n", nt_errstr(status));
> + if (newhandle) {
> + close(handle);
> + }
> return 1;
> }
> }
The above is incomplete, the same fix also needs adding to
the error path after the cli_pull() call.
> From 6c93412eb4f89f2197acdda96befa18710b3217f Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Thu, 9 Aug 2018 16:42:43 +0200
> Subject: [PATCH 10/10] s4:lib: Fix a possible fd leak in gp_get_file()
>
> Found by covscan.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
>
> Pair-Programmed-With: Justin Stephenson <jstephen at redhat.com>
> Signed-off-by: Andreas Schneider <asn at samba.org>
> Signed-off-by: Justin Stephenson <jstephen at redhat.com>
> ---
> source4/lib/policy/gp_filesys.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/source4/lib/policy/gp_filesys.c b/source4/lib/policy/gp_filesys.c
> index d48fc9fd6b0..700c91dccca 100644
> --- a/source4/lib/policy/gp_filesys.c
> +++ b/source4/lib/policy/gp_filesys.c
> @@ -224,11 +224,15 @@ static NTSTATUS gp_get_file (struct smbcli_tree *tree, const char *remote_src,
> NT_STATUS_IS_ERR(smbcli_getattrE(tree, fh_remote,
> &attr, &file_size, NULL, NULL, NULL))) {
> DEBUG(0, ("Failed to get remote file size: %s\n", smbcli_errstr(tree)));
> + close(fh_local);
> return NT_STATUS_UNSUCCESSFUL;
> }
>
> buf = talloc_zero_array(tree, uint8_t, buf_size);
> - NT_STATUS_HAVE_NO_MEMORY(buf);
> + if (buf == NULL) {
> + close(fh_local);
> + return NT_STATUS_NO_MEMORY;
> + }
>
> /* Copy the contents of the file */
> while (1) {
> @@ -241,6 +245,7 @@ static NTSTATUS gp_get_file (struct smbcli_tree *tree, const char *remote_src,
> if (write(fh_local, buf, n) != n) {
> DEBUG(0, ("Short write while copying file.\n"));
> talloc_free(buf);
> + close(fh_local);
> return NT_STATUS_UNSUCCESSFUL;
> }
> nread += n;
> --
Incomplete, also needs to call smbcli_close() on
fh_remote in error cases.
Other patches look good - pushed. I'll update
these and re-post for you to examine.
Jeremy.
More information about the samba-technical
mailing list