Memory leak in cephwrap_realpath (vfs_ceph.c)

Rungta, Vandana vrungta at amazon.com
Sun May 6 16:53:30 UTC 2018


There are a couple of memory leak issues in cephwrap_realpath in vfs_ceph.c


  1.  “result” is double allocated by  SMB_MALLOC_ARRAY and by asprintf .
  2.  The error code paths for r < 0 need to SAFE_FREE “result”.


diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c

index 9abd321..18c5413 100644

--- a/source3/modules/vfs_ceph.c

+++ b/source3/modules/vfs_ceph.c

@@ -1187,30 +1187,30 @@ static struct smb_filename *cephwrap_realpath(struct vfs_handle_struct *handle,

                                TALLOC_CTX *ctx,

                                const struct smb_filename *smb_fname)

 {

-       char *result;

+       char *result = NULL;

        const char *path = smb_fname->base_name;

        size_t len = strlen(path);

        struct smb_filename *result_fname = NULL;

+        int r;



-       result = SMB_MALLOC_ARRAY(char, PATH_MAX+1);

        if (len && (path[0] == '/')) {

-               int r = asprintf(&result, "%s", path);

-               if (r < 0) return NULL;

+               r = asprintf(&result, "%s", path);

        } else if ((len >= 2) && (path[0] == '.') && (path[1] == '/')) {

                if (len == 2) {

-                       int r = asprintf(&result, "%s",

+                       r = asprintf(&result, "%s",

                                        handle->conn->connectpath);

-                       if (r < 0) return NULL;

                } else {

-                       int r = asprintf(&result, "%s/%s",

+                       r = asprintf(&result, "%s/%s",

                                        handle->conn->connectpath, &path[2]);

-                       if (r < 0) return NULL;

                }

        } else {

-               int r = asprintf(&result, "%s/%s",

+               r = asprintf(&result, "%s/%s",

                                handle->conn->connectpath, path);

-               if (r < 0) return NULL;

        }

+       if (r < 0) {

+            SAFE_FREE(result);

+            return NULL;

+        }

        DBG_DEBUG("[CEPH] realpath(%p, %s) = %s\n", handle, path, result);

        result_fname = synthetic_smb_fname(ctx,

                                result,

Thanks,
Vandana Rungta


More information about the samba-technical mailing list