[PATCH] Fix leak in credential_apply_config

[PATCH] Fix leak in credential_apply_config

[Mike Hommey]

Signed-off-by: Mike Hommey <mh@glandium.org>
---
 credential.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/credential.c b/credential.c
index 3c05c7c669..000ac7a8d4 100644
--- a/credential.c
+++ b/credential.c
@@ -128,6 +128,7 @@ static void credential_apply_config(struct credential *c)
 	normalized_url = url_normalize(url.buf, &config.url);
 
 	git_config(urlmatch_config_entry, &config);
+	string_list_clear(&config.vars, 1);
 	free(normalized_url);
 	strbuf_release(&url);
 
-- 
2.33.0

Re: [PATCH] Fix leak in credential_apply_config

[Derrick Stolee]

On 8/20/2021 4:44 AM, Mike Hommey wrote:
>  	normalized_url = url_normalize(url.buf, &config.url);
>  
>  	git_config(urlmatch_config_entry, &config);
> +	string_list_clear(&config.vars, 1);
>  	free(normalized_url);
>  	strbuf_release(&url);

A good find! This is obviously correct and a valuable change
to make. If you are interested in doing a little extra work,
then I think there is something more we could do here.

I took a look at the rest of "struct urlmatch_config" to see
if anything else needed to be cleared, and it turns out that
config.url.url is an allocated string, but happens to be
equal to normalized_url, which is freed here.

Perhaps the optimal organization would be to have a
clear_urlmatch_config() method that clears all allocated data
within the config, and change things like url_normalize()
return a 'const char *' to make it clear that the url should
be freed somewhere else.

It would help unify the handling of code that is somewhat
duplicated (but slightly different each time) across
credential_apply_config(), http_init(), get_urlmatch(),
and cmd__urlmatch_normalization().

Thanks,
-Stolee

Re: [PATCH] Fix leak in credential_apply_config

[Jeff King]

On Fri, Aug 20, 2021 at 10:58:56AM -0400, Derrick Stolee wrote:

> On 8/20/2021 4:44 AM, Mike Hommey wrote:
> >  	normalized_url = url_normalize(url.buf, &config.url);
> >  
> >  	git_config(urlmatch_config_entry, &config);
> > +	string_list_clear(&config.vars, 1);
> >  	free(normalized_url);
> >  	strbuf_release(&url);
> 
> A good find! This is obviously correct and a valuable change
> to make. If you are interested in doing a little extra work,
> then I think there is something more we could do here.
> 
> I took a look at the rest of "struct urlmatch_config" to see
> if anything else needed to be cleared, and it turns out that
> config.url.url is an allocated string, but happens to be
> equal to normalized_url, which is freed here.
> 
> Perhaps the optimal organization would be to have a
> clear_urlmatch_config() method that clears all allocated data
> within the config, and change things like url_normalize()
> return a 'const char *' to make it clear that the url should
> be freed somewhere else.

Yeah, I had the same thought; it feels like we're peeking into details
of how url_config works (especially the knowledge that we we should be
passing free_util).

> It would help unify the handling of code that is somewhat
> duplicated (but slightly different each time) across
> credential_apply_config(), http_init(), get_urlmatch(),
> and cmd__urlmatch_normalization().

Agreed. It looks like http_init() has the same leak that is fixed here.

-Peff

Re: [PATCH] Fix leak in credential_apply_config

[Jeff King]

On Fri, Aug 20, 2021 at 01:56:20PM -0400, Jeff King wrote:

> > It would help unify the handling of code that is somewhat
> > duplicated (but slightly different each time) across
> > credential_apply_config(), http_init(), get_urlmatch(),
> > and cmd__urlmatch_normalization().
> 
> Agreed. It looks like http_init() has the same leak that is fixed here.

Oh, nevermind. That call is indeed correct. Apparently if you re-order
two lines I'm unable to see them. ;)

-Peff