[PATCH 0/2] some leak fixes on fs/ssh-signing-fix

[PATCH 0/2] some leak fixes on fs/ssh-signing-fix

[Jeff King]

This fixes two small leaks on top of fs/ssh-signing-fix noticed by
Coverity. I guess it's too late to squash them in, so I prepared patches
on top.

  [1/2]: gpg-interface: fix leak of "line" in parse_ssh_output()
  [2/2]: gpg-interface: fix leak of strbufs in get_ssh_key_fingerprint()

 gpg-interface.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

-Peff

[PATCH 1/2] gpg-interface: fix leak of "line" in parse_ssh_output()

[Jeff King]

We xmemdupz() this buffer, but never free it. Let's do so. We'll use a
cleanup label, since there are multiple exits from the function.

Note that it was also declared a "const char *". We could switch that to
"char *" to indicate that it's allocated, but that make it awkward to
use with skip_prefix(). So instead, we'll introduce an extra non-const
pointer.

Signed-off-by: Jeff King <peff@peff.net>
---
 gpg-interface.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/gpg-interface.c b/gpg-interface.c
index 433482307c..c60b9cd19d 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -365,6 +365,7 @@ static int verify_gpg_signed_buffer(struct signature_check *sigc,
 static void parse_ssh_output(struct signature_check *sigc)
 {
 	const char *line, *principal, *search;
+	char *to_free;
 	char *key = NULL;
 
 	/*
@@ -383,7 +384,7 @@ static void parse_ssh_output(struct signature_check *sigc)
 	sigc->result = 'B';
 	sigc->trust_level = TRUST_NEVER;
 
-	line = xmemdupz(sigc->output, strcspn(sigc->output, "\n"));
+	line = to_free = xmemdupz(sigc->output, strcspn(sigc->output, "\n"));
 
 	if (skip_prefix(line, "Good \"git\" signature for ", &line)) {
 		/* Valid signature and known principal */
@@ -403,7 +404,7 @@ static void parse_ssh_output(struct signature_check *sigc)
 		sigc->result = 'G';
 		sigc->trust_level = TRUST_UNDEFINED;
 	} else {
-		return;
+		goto cleanup;
 	}
 
 	key = strstr(line, "key");
@@ -417,6 +418,9 @@ static void parse_ssh_output(struct signature_check *sigc)
 		 */
 		sigc->result = 'B';
 	}
+
+cleanup:
+	free(to_free);
 }
 
 static int verify_ssh_signed_buffer(struct signature_check *sigc,
-- 
2.33.1.1223.g80c1dbe6e5

[PATCH 2/2] gpg-interface: fix leak of strbufs in get_ssh_key_fingerprint()

[Jeff King]

We read stdout from gpg into a strbuf, then split it into a list of
strbufs, pull out one element, and return it. But we don't free either
the original stdout buffer, nor the list returned from strbuf_split().

This patch fixes both. Note that we have to detach the returned string
from its strbuf before calling strbuf_list_free(), as that would
otherwise throw it away.

Signed-off-by: Jeff King <peff@peff.net>
---
 gpg-interface.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/gpg-interface.c b/gpg-interface.c
index c60b9cd19d..800d8caa67 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -711,6 +711,7 @@ static char *get_ssh_key_fingerprint(const char *signing_key)
 	int ret = -1;
 	struct strbuf fingerprint_stdout = STRBUF_INIT;
 	struct strbuf **fingerprint;
+	char *fingerprint_ret;
 
 	/*
 	 * With SSH Signing this can contain a filename or a public key
@@ -737,7 +738,10 @@ static char *get_ssh_key_fingerprint(const char *signing_key)
 		die_errno(_("failed to get the ssh fingerprint for key '%s'"),
 			  signing_key);
 
-	return strbuf_detach(fingerprint[1], NULL);
+	fingerprint_ret = strbuf_detach(fingerprint[1], NULL);
+	strbuf_list_free(fingerprint);
+	strbuf_release(&fingerprint_stdout);
+	return fingerprint_ret;
 }
 
 /* Returns the first public key from an ssh-agent to use for signing */
-- 
2.33.1.1223.g80c1dbe6e5

Re: [PATCH 0/2] some leak fixes on fs/ssh-signing-fix

[Fabian Stelzer]

On 18.10.21 19:11, Jeff King wrote:
> This fixes two small leaks on top of fs/ssh-signing-fix noticed by
> Coverity. I guess it's too late to squash them in, so I prepared patches
> on top.
> 
>   [1/2]: gpg-interface: fix leak of "line" in parse_ssh_output()
>   [2/2]: gpg-interface: fix leak of strbufs in get_ssh_key_fingerprint()
> 
>  gpg-interface.c | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
> 
> -Peff
> 

Thanks.
Both of these look good.

Is coverity included in the ci/gh actions? Where would these notices
show up?

Kind regards,
Fabian

Re: [PATCH 0/2] some leak fixes on fs/ssh-signing-fix

[Jeff King]

On Tue, Oct 19, 2021 at 10:16:41AM +0200, Fabian Stelzer wrote:

> Is coverity included in the ci/gh actions? Where would these notices
> show up?

Not currently. I've been playing with running it in an action, and may
submit something to make it more official. There's some discussion here:

  https://lore.kernel.org/git/YV5dmkkuCqAY2qqG@coredump.intra.peff.net/

There's also some on-going work to make the test suite run without
leak-checkers (I didn't dig them up, but you can find recent topics and
commits from Ævar). But we've got a ways to go, so you'd likely find a
bunch of existing leaks if you tried it.

So no, for now there was nothing obvious you could have seen that would
have alerted you.

-Peff