diff options
| author | Jeremy Allison <jra@samba.org> | 2006-03-07 06:31:04 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:10:59 -0500 |
| commit | 894358a8f3e338b339b6c37233edef794b312087 (patch) | |
| tree | 2dade0771837ba267d365af24d551c3084f0f948 /source3/lib | |
| parent | 1d5ed2bde9a67083c9b73c7eb6fb966c0e824ab2 (diff) | |
| download | samba-894358a8f3e338b339b6c37233edef794b312087.tar.gz samba-894358a8f3e338b339b6c37233edef794b312087.tar.bz2 samba-894358a8f3e338b339b6c37233edef794b312087.zip | |
r13915: Fixed a very interesting class of realloc() bugs found by Coverity.
realloc can return NULL in one of two cases - (1) the realloc failed,
(2) realloc succeeded but the new size requested was zero, in which
case this is identical to a free() call.
The error paths dealing with these two cases should be different,
but mostly weren't. Secondly the standard idiom for dealing with
realloc when you know the new size is non-zero is the following :
tmp = realloc(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
However, there were *many* *many* places in Samba where we were
using the old (broken) idiom of :
p = realloc(p, size)
if (!p) {
return error;
}
which will leak the memory pointed to by p on realloc fail.
This commit (hopefully) fixes all these cases by moving to
a standard idiom of :
p = SMB_REALLOC(p, size)
if (!p) {
return error;
}
Where if the realloc returns null due to the realloc failing
or size == 0 we *guarentee* that the storage pointed to by p
has been freed. This allows me to remove a lot of code that
was dealing with the standard (more verbose) method that required
a tmp pointer. This is almost always what you want. When a
realloc fails you never usually want the old memory, you
want to free it and get into your error processing asap.
For the 11 remaining cases where we really do need to keep the
old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR,
which can be used as follows :
tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the
pointer p, even on size == 0 or realloc fail. All this is
done by a hidden extra argument to Realloc(), BOOL free_old_on_error
which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR
macros (and their array counterparts).
It remains to be seen what this will do to our Coverity bug count :-).
Jeremy.
(This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
Diffstat (limited to 'source3/lib')
| -rw-r--r-- | source3/lib/charcnv.c | 25 | ||||
| -rw-r--r-- | source3/lib/ldap_escape.c | 7 | ||||
| -rw-r--r-- | source3/lib/sysacls.c | 11 | ||||
| -rw-r--r-- | source3/lib/system_smbd.c | 9 | ||||
| -rw-r--r-- | source3/lib/util.c | 99 | ||||
| -rw-r--r-- | source3/lib/util_file.c | 23 | ||||
| -rw-r--r-- | source3/lib/util_sid.c | 8 | ||||
| -rw-r--r-- | source3/lib/util_str.c | 34 | ||||
| -rw-r--r-- | source3/lib/wins_srv.c | 3 |
9 files changed, 125 insertions, 94 deletions
diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c index c4eeab135e..ae04fd9ffb 100644 --- a/source3/lib/charcnv.c +++ b/source3/lib/charcnv.c @@ -537,19 +537,17 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to, destlen = destlen * 2; } - if (ctx) + if (ctx) { ob = (char *)TALLOC_REALLOC(ctx, ob, destlen); - else + } else { ob = (char *)SMB_REALLOC(ob, destlen); + } if (!ob) { DEBUG(0, ("convert_string_allocate: realloc failed!\n")); - if (!ctx) - SAFE_FREE(outbuf); return (size_t)-1; - } else { - outbuf = ob; } + outbuf = ob; i_len = srclen; o_len = destlen; @@ -587,17 +585,18 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to, out: destlen = destlen - o_len; - if (ctx) - *dest = (char *)TALLOC_REALLOC(ctx,ob,destlen); - else - *dest = (char *)SMB_REALLOC(ob,destlen); - if (destlen && !*dest) { + if (ctx) { + ob = (char *)TALLOC_REALLOC(ctx,ob,destlen); + } else { + ob = (char *)SMB_REALLOC(ob,destlen); + } + + if (destlen && !ob) { DEBUG(0, ("convert_string_allocate: out of memory!\n")); - if (!ctx) - SAFE_FREE(ob); return (size_t)-1; } + *dest = ob; return destlen; use_as_is: diff --git a/source3/lib/ldap_escape.c b/source3/lib/ldap_escape.c index 6c4e8b8c83..3feb0e0c44 100644 --- a/source3/lib/ldap_escape.c +++ b/source3/lib/ldap_escape.c @@ -37,7 +37,6 @@ char *escape_ldap_string_alloc(const char *s) { size_t len = strlen(s)+1; char *output = SMB_MALLOC(len); - char *output_tmp; const char *sub; int i = 0; char *p = output; @@ -65,12 +64,10 @@ char *escape_ldap_string_alloc(const char *s) if (sub) { len = len + 3; - output_tmp = SMB_REALLOC(output, len); - if (!output_tmp) { - SAFE_FREE(output); + output = SMB_REALLOC(output, len); + if (!output) { return NULL; } - output = output_tmp; p = &output[i]; strncpy (p, sub, 3); diff --git a/source3/lib/sysacls.c b/source3/lib/sysacls.c index e7bd288f6e..61975264fd 100644 --- a/source3/lib/sysacls.c +++ b/source3/lib/sysacls.c @@ -689,12 +689,8 @@ char *sys_acl_to_text(SMB_ACL_T acl_d, ssize_t *len_p) * for each entry still to be processed */ if ((len + nbytes) > maxlen) { - char *oldtext = text; - maxlen += nbytes + 20 * (acl_d->count - i); - - if ((text = SMB_REALLOC(oldtext, maxlen)) == NULL) { - SAFE_FREE(oldtext); + if ((text = SMB_REALLOC(text, maxlen)) == NULL) { errno = ENOMEM; return NULL; } @@ -1320,11 +1316,8 @@ char *sys_acl_to_text(SMB_ACL_T acl_d, ssize_t *len_p) * for each entry still to be processed */ if ((len + nbytes) > maxlen) { - char *oldtext = text; - maxlen += nbytes + 20 * (acl_d->count - i); - - if ((text = SMB_REALLOC(oldtext, maxlen)) == NULL) { + if ((text = SMB_REALLOC(text, maxlen)) == NULL) { free(oldtext); errno = ENOMEM; return NULL; diff --git a/source3/lib/system_smbd.c b/source3/lib/system_smbd.c index 081a07c019..c627ae6270 100644 --- a/source3/lib/system_smbd.c +++ b/source3/lib/system_smbd.c @@ -166,15 +166,10 @@ BOOL getgroups_unix_user(TALLOC_CTX *mem_ctx, const char *user, } if (sys_getgrouplist(user, primary_gid, temp_groups, &max_grp) == -1) { - gid_t *groups_tmp; - - groups_tmp = SMB_REALLOC_ARRAY(temp_groups, gid_t, max_grp); - - if (!groups_tmp) { - SAFE_FREE(temp_groups); + temp_groups = SMB_REALLOC_ARRAY(temp_groups, gid_t, max_grp); + if (!temp_groups) { return False; } - temp_groups = groups_tmp; if (sys_getgrouplist(user, primary_gid, temp_groups, &max_grp) == -1) { diff --git a/source3/lib/util.c b/source3/lib/util.c index d4443a6480..758ebfd27d 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -291,13 +291,15 @@ void add_gid_to_array_unique(TALLOC_CTX *mem_ctx, gid_t gid, return; } - if (mem_ctx != NULL) + if (mem_ctx != NULL) { *gids = TALLOC_REALLOC_ARRAY(mem_ctx, *gids, gid_t, *num_gids+1); - else + } else { *gids = SMB_REALLOC_ARRAY(*gids, gid_t, *num_gids+1); + } - if (*gids == NULL) + if (*gids == NULL) { return; + } (*gids)[*num_gids] = gid; *num_gids += 1; @@ -342,14 +344,10 @@ const char *get_numlist(const char *p, uint32 **num, int *count) (*num ) = NULL; while ((p = Atoic(p, &val, ":,")) != NULL && (*p) != ':') { - uint32 *tn; - - tn = SMB_REALLOC_ARRAY((*num), uint32, (*count)+1); - if (tn == NULL) { - SAFE_FREE(*num); + *num = SMB_REALLOC_ARRAY((*num), uint32, (*count)+1); + if (!(*num)) { return NULL; - } else - (*num) = tn; + } (*num)[(*count)] = val; (*count)++; p++; @@ -941,32 +939,68 @@ void *calloc_array(size_t size, size_t nmemb) /**************************************************************************** Expand a pointer to be a particular size. + Note that this version of Realloc has an extra parameter that decides + whether to free the passed in storage on allocation failure or if the + new size is zero. + + This is designed for use in the typical idiom of : + + p = SMB_REALLOC(p, size) + if (!p) { + return error; + } + + and not to have to keep track of the old 'p' contents to free later, nor + to worry if the size parameter was zero. In the case where NULL is returned + we guarentee that p has been freed. + + If free later semantics are desired, then pass 'free_old_on_error' as False which + guarentees that the old contents are not freed on error, even if size == 0. To use + this idiom use : + + tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); + if (!tmp) { + SAFE_FREE(p); + return error; + } else { + p = tmp; + } + + Changes were instigated by Coverity error checking. JRA. ****************************************************************************/ -void *Realloc(void *p,size_t size) +void *Realloc(void *p, size_t size, BOOL free_old_on_error) { void *ret=NULL; if (size == 0) { - SAFE_FREE(p); - DEBUG(5,("Realloc asked for 0 bytes\n")); + if (free_old_on_error) { + SAFE_FREE(p); + } + DEBUG(2,("Realloc asked for 0 bytes\n")); return NULL; } #if defined(PARANOID_MALLOC_CHECKER) - if (!p) + if (!p) { ret = (void *)malloc_(size); - else + } else { ret = (void *)realloc_(p,size); + } #else - if (!p) + if (!p) { ret = (void *)malloc(size); - else + } else { ret = (void *)realloc(p,size); + } #endif - if (!ret) + if (!ret) { + if (free_old_on_error && p) { + SAFE_FREE(p); + } DEBUG(0,("Memory allocation error: failed to expand to %d bytes\n",(int)size)); + } return(ret); } @@ -975,23 +1009,28 @@ void *Realloc(void *p,size_t size) Type-safe realloc. ****************************************************************************/ -void *realloc_array(void *p,size_t el_size, unsigned int count) +void *realloc_array(void *p, size_t el_size, unsigned int count, BOOL keep_old_on_error) { if (count >= MAX_ALLOC_SIZE/el_size) { + if (!keep_old_on_error) { + SAFE_FREE(p); + } return NULL; } - return Realloc(p,el_size*count); + return Realloc(p, el_size*count, keep_old_on_error); } /**************************************************************************** - (Hopefully) efficient array append + (Hopefully) efficient array append. ****************************************************************************/ + void add_to_large_array(TALLOC_CTX *mem_ctx, size_t element_size, void *element, void **array, uint32 *num_elements, ssize_t *array_size) { - if (*array_size < 0) + if (*array_size < 0) { return; + } if (*array == NULL) { if (*array_size == 0) { @@ -1002,13 +1041,15 @@ void add_to_large_array(TALLOC_CTX *mem_ctx, size_t element_size, goto error; } - if (mem_ctx != NULL) + if (mem_ctx != NULL) { *array = TALLOC(mem_ctx, element_size * (*array_size)); - else + } else { *array = SMB_MALLOC(element_size * (*array_size)); + } - if (*array == NULL) + if (*array == NULL) { goto error; + } } if (*num_elements == *array_size) { @@ -1018,15 +1059,17 @@ void add_to_large_array(TALLOC_CTX *mem_ctx, size_t element_size, goto error; } - if (mem_ctx != NULL) + if (mem_ctx != NULL) { *array = TALLOC_REALLOC(mem_ctx, *array, element_size * (*array_size)); - else + } else { *array = SMB_REALLOC(*array, element_size * (*array_size)); + } - if (*array == NULL) + if (*array == NULL) { goto error; + } } memcpy((char *)(*array) + element_size*(*num_elements), diff --git a/source3/lib/util_file.c b/source3/lib/util_file.c index 53a9bc9b41..06008886c0 100644 --- a/source3/lib/util_file.c +++ b/source3/lib/util_file.c @@ -322,16 +322,11 @@ char *fgets_slash(char *s2,int maxlen,XFILE *f) } if (!s2 && len > maxlen-3) { - char *t; - maxlen *= 2; - t = (char *)SMB_REALLOC(s,maxlen); - if (!t) { + s = (char *)SMB_REALLOC(s,maxlen); + if (!s) { DEBUG(0,("fgets_slash: failed to expand buffer!\n")); - SAFE_FREE(s); return(NULL); - } else { - s = t; } } } @@ -345,7 +340,7 @@ char *fgets_slash(char *s2,int maxlen,XFILE *f) char *file_pload(char *syscmd, size_t *size) { int fd, n; - char *p, *tp; + char *p; pstring buf; size_t total; @@ -358,19 +353,19 @@ char *file_pload(char *syscmd, size_t *size) total = 0; while ((n = read(fd, buf, sizeof(buf))) > 0) { - tp = SMB_REALLOC(p, total + n + 1); - if (!tp) { + p = SMB_REALLOC(p, total + n + 1); + if (!p) { DEBUG(0,("file_pload: failed to expand buffer!\n")); close(fd); - SAFE_FREE(p); return NULL; - } else { - p = tp; } memcpy(p+total, buf, n); total += n; } - if (p) p[total] = 0; + + if (p) { + p[total] = 0; + } /* FIXME: Perhaps ought to check that the command completed * successfully (returned 0); if not the data may be diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index c7f9dc2fdb..3be52dd9f7 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -563,14 +563,16 @@ DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src) void add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid, DOM_SID **sids, size_t *num) { - if (mem_ctx != NULL) + if (mem_ctx != NULL) { *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID, (*num)+1); - else + } else { *sids = SMB_REALLOC_ARRAY(*sids, DOM_SID, (*num)+1); + } - if (*sids == NULL) + if (*sids == NULL) { return; + } sid_copy(&((*sids)[*num]), sid); *num += 1; diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c index e799556cd1..f1ae9a472a 100644 --- a/source3/lib/util_str.c +++ b/source3/lib/util_str.c @@ -1049,14 +1049,13 @@ char *realloc_string_sub(char *string, const char *pattern, while ((p = strstr_m(s,pattern))) { if (ld > 0) { int offset = PTR_DIFF(s,string); - char *t = SMB_REALLOC(string, ls + ld + 1); - if (!t) { + string = SMB_REALLOC(string, ls + ld + 1); + if (!string) { DEBUG(0, ("realloc_string_sub: out of memory!\n")); SAFE_FREE(in); return NULL; } - string = t; - p = t + offset + (p - s); + p = string + offset + (p - s); } if (li != lp) { memmove(p+li,p+lp,strlen(p+lp)+1); @@ -1119,15 +1118,14 @@ char *talloc_string_sub(TALLOC_CTX *mem_ctx, const char *src, while ((p = strstr_m(s,pattern))) { if (ld > 0) { int offset = PTR_DIFF(s,string); - char *t = TALLOC_REALLOC(mem_ctx, string, ls + ld + 1); - if (!t) { + string = TALLOC_REALLOC(mem_ctx, string, ls + ld + 1); + if (!string) { DEBUG(0, ("talloc_string_sub: out of " "memory!\n")); SAFE_FREE(in); return NULL; } - string = t; - p = t + offset + (p - s); + p = string + offset + (p - s); } if (li != lp) { memmove(p+li,p+lp,strlen(p+lp)+1); @@ -1703,7 +1701,9 @@ static char **str_list_make_internal(TALLOC_CTX *mem_ctx, const char *string, co if (mem_ctx) { rlist = TALLOC_REALLOC_ARRAY(mem_ctx, list, char *, lsize +1); } else { - rlist = SMB_REALLOC_ARRAY(list, char *, lsize +1); + /* We need to keep the old list on error so we can free the elements + if the realloc fails. */ + rlist = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(list, char *, lsize +1); } if (!rlist) { DEBUG(0,("str_list_make: Unable to allocate memory")); @@ -1714,8 +1714,9 @@ static char **str_list_make_internal(TALLOC_CTX *mem_ctx, const char *string, co SAFE_FREE(s); } return NULL; - } else + } else { list = rlist; + } memset (&list[num], 0, ((sizeof(char**)) * (S_LIST_ABS +1))); } @@ -1773,7 +1774,7 @@ BOOL str_list_copy(char ***dest, const char **src) while (src[num]) { if (num == lsize) { lsize += S_LIST_ABS; - rlist = SMB_REALLOC_ARRAY(list, char *, lsize +1); + rlist = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(list, char *, lsize +1); if (!rlist) { DEBUG(0,("str_list_copy: Unable to re-allocate memory")); str_list_free(&list); @@ -2266,8 +2267,9 @@ void string_append(char **left, const char *right) *left = SMB_REALLOC(*left, new_len); } - if (*left == NULL) + if (*left == NULL) { return; + } safe_strcat(*left, right, new_len-1); } @@ -2334,14 +2336,16 @@ void sprintf_append(TALLOC_CTX *mem_ctx, char **string, ssize_t *len, } if (increased) { - if (mem_ctx != NULL) + if (mem_ctx != NULL) { *string = TALLOC_REALLOC_ARRAY(mem_ctx, *string, char, *bufsize); - else + } else { *string = SMB_REALLOC_ARRAY(*string, char, *bufsize); + } - if (*string == NULL) + if (*string == NULL) { goto error; + } } StrnCpy((*string)+(*len), newstr, ret); diff --git a/source3/lib/wins_srv.c b/source3/lib/wins_srv.c index c139f427ca..dbe4fceacc 100644 --- a/source3/lib/wins_srv.c +++ b/source3/lib/wins_srv.c @@ -245,6 +245,9 @@ char **wins_srv_tags(void) /* add it to the list */ ret = SMB_REALLOC_ARRAY(ret, char *, count+2); + if (!ret) { + return NULL; + } ret[count] = SMB_STRDUP(t_ip.tag); if (!ret[count]) break; count++; |