* [PATCH 0/2] some leak fixes on fs/ssh-signing-fix
@ 2021-10-18 17:11 Jeff King
2021-10-18 17:15 ` [PATCH 1/2] gpg-interface: fix leak of "line" in parse_ssh_output() Jeff King
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Jeff King @ 2021-10-18 17:11 UTC (permalink / raw)
To: git; +Cc: Fabian Stelzer
This fixes two small leaks on top of fs/ssh-signing-fix noticed by
Coverity. I guess it's too late to squash them in, so I prepared patches
on top.
[1/2]: gpg-interface: fix leak of "line" in parse_ssh_output()
[2/2]: gpg-interface: fix leak of strbufs in get_ssh_key_fingerprint()
gpg-interface.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
-Peff
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] gpg-interface: fix leak of "line" in parse_ssh_output()
2021-10-18 17:11 [PATCH 0/2] some leak fixes on fs/ssh-signing-fix Jeff King
@ 2021-10-18 17:15 ` Jeff King
2021-10-18 17:15 ` [PATCH 2/2] gpg-interface: fix leak of strbufs in get_ssh_key_fingerprint() Jeff King
2021-10-19 8:16 ` [PATCH 0/2] some leak fixes on fs/ssh-signing-fix Fabian Stelzer
2 siblings, 0 replies; 5+ messages in thread
From: Jeff King @ 2021-10-18 17:15 UTC (permalink / raw)
To: git; +Cc: Fabian Stelzer
We xmemdupz() this buffer, but never free it. Let's do so. We'll use a
cleanup label, since there are multiple exits from the function.
Note that it was also declared a "const char *". We could switch that to
"char *" to indicate that it's allocated, but that make it awkward to
use with skip_prefix(). So instead, we'll introduce an extra non-const
pointer.
Signed-off-by: Jeff King <peff@peff.net>
---
gpg-interface.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/gpg-interface.c b/gpg-interface.c
index 433482307c..c60b9cd19d 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -365,6 +365,7 @@ static int verify_gpg_signed_buffer(struct signature_check *sigc,
static void parse_ssh_output(struct signature_check *sigc)
{
const char *line, *principal, *search;
+ char *to_free;
char *key = NULL;
/*
@@ -383,7 +384,7 @@ static void parse_ssh_output(struct signature_check *sigc)
sigc->result = 'B';
sigc->trust_level = TRUST_NEVER;
- line = xmemdupz(sigc->output, strcspn(sigc->output, "\n"));
+ line = to_free = xmemdupz(sigc->output, strcspn(sigc->output, "\n"));
if (skip_prefix(line, "Good \"git\" signature for ", &line)) {
/* Valid signature and known principal */
@@ -403,7 +404,7 @@ static void parse_ssh_output(struct signature_check *sigc)
sigc->result = 'G';
sigc->trust_level = TRUST_UNDEFINED;
} else {
- return;
+ goto cleanup;
}
key = strstr(line, "key");
@@ -417,6 +418,9 @@ static void parse_ssh_output(struct signature_check *sigc)
*/
sigc->result = 'B';
}
+
+cleanup:
+ free(to_free);
}
static int verify_ssh_signed_buffer(struct signature_check *sigc,
--
2.33.1.1223.g80c1dbe6e5
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] gpg-interface: fix leak of strbufs in get_ssh_key_fingerprint()
2021-10-18 17:11 [PATCH 0/2] some leak fixes on fs/ssh-signing-fix Jeff King
2021-10-18 17:15 ` [PATCH 1/2] gpg-interface: fix leak of "line" in parse_ssh_output() Jeff King
@ 2021-10-18 17:15 ` Jeff King
2021-10-19 8:16 ` [PATCH 0/2] some leak fixes on fs/ssh-signing-fix Fabian Stelzer
2 siblings, 0 replies; 5+ messages in thread
From: Jeff King @ 2021-10-18 17:15 UTC (permalink / raw)
To: git; +Cc: Fabian Stelzer
We read stdout from gpg into a strbuf, then split it into a list of
strbufs, pull out one element, and return it. But we don't free either
the original stdout buffer, nor the list returned from strbuf_split().
This patch fixes both. Note that we have to detach the returned string
from its strbuf before calling strbuf_list_free(), as that would
otherwise throw it away.
Signed-off-by: Jeff King <peff@peff.net>
---
gpg-interface.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/gpg-interface.c b/gpg-interface.c
index c60b9cd19d..800d8caa67 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -711,6 +711,7 @@ static char *get_ssh_key_fingerprint(const char *signing_key)
int ret = -1;
struct strbuf fingerprint_stdout = STRBUF_INIT;
struct strbuf **fingerprint;
+ char *fingerprint_ret;
/*
* With SSH Signing this can contain a filename or a public key
@@ -737,7 +738,10 @@ static char *get_ssh_key_fingerprint(const char *signing_key)
die_errno(_("failed to get the ssh fingerprint for key '%s'"),
signing_key);
- return strbuf_detach(fingerprint[1], NULL);
+ fingerprint_ret = strbuf_detach(fingerprint[1], NULL);
+ strbuf_list_free(fingerprint);
+ strbuf_release(&fingerprint_stdout);
+ return fingerprint_ret;
}
/* Returns the first public key from an ssh-agent to use for signing */
--
2.33.1.1223.g80c1dbe6e5
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/2] some leak fixes on fs/ssh-signing-fix
2021-10-18 17:11 [PATCH 0/2] some leak fixes on fs/ssh-signing-fix Jeff King
2021-10-18 17:15 ` [PATCH 1/2] gpg-interface: fix leak of "line" in parse_ssh_output() Jeff King
2021-10-18 17:15 ` [PATCH 2/2] gpg-interface: fix leak of strbufs in get_ssh_key_fingerprint() Jeff King
@ 2021-10-19 8:16 ` Fabian Stelzer
2021-10-19 21:01 ` Jeff King
2 siblings, 1 reply; 5+ messages in thread
From: Fabian Stelzer @ 2021-10-19 8:16 UTC (permalink / raw)
To: Jeff King, git
On 18.10.21 19:11, Jeff King wrote:
> This fixes two small leaks on top of fs/ssh-signing-fix noticed by
> Coverity. I guess it's too late to squash them in, so I prepared patches
> on top.
>
> [1/2]: gpg-interface: fix leak of "line" in parse_ssh_output()
> [2/2]: gpg-interface: fix leak of strbufs in get_ssh_key_fingerprint()
>
> gpg-interface.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> -Peff
>
Thanks.
Both of these look good.
Is coverity included in the ci/gh actions? Where would these notices
show up?
Kind regards,
Fabian
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/2] some leak fixes on fs/ssh-signing-fix
2021-10-19 8:16 ` [PATCH 0/2] some leak fixes on fs/ssh-signing-fix Fabian Stelzer
@ 2021-10-19 21:01 ` Jeff King
0 siblings, 0 replies; 5+ messages in thread
From: Jeff King @ 2021-10-19 21:01 UTC (permalink / raw)
To: Fabian Stelzer; +Cc: git
On Tue, Oct 19, 2021 at 10:16:41AM +0200, Fabian Stelzer wrote:
> Is coverity included in the ci/gh actions? Where would these notices
> show up?
Not currently. I've been playing with running it in an action, and may
submit something to make it more official. There's some discussion here:
https://lore.kernel.org/git/YV5dmkkuCqAY2qqG@coredump.intra.peff.net/
There's also some on-going work to make the test suite run without
leak-checkers (I didn't dig them up, but you can find recent topics and
commits from Ævar). But we've got a ways to go, so you'd likely find a
bunch of existing leaks if you tried it.
So no, for now there was nothing obvious you could have seen that would
have alerted you.
-Peff
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-10-19 21:01 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-18 17:11 [PATCH 0/2] some leak fixes on fs/ssh-signing-fix Jeff King
2021-10-18 17:15 ` [PATCH 1/2] gpg-interface: fix leak of "line" in parse_ssh_output() Jeff King
2021-10-18 17:15 ` [PATCH 2/2] gpg-interface: fix leak of strbufs in get_ssh_key_fingerprint() Jeff King
2021-10-19 8:16 ` [PATCH 0/2] some leak fixes on fs/ssh-signing-fix Fabian Stelzer
2021-10-19 21:01 ` Jeff King
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).