From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-4.2 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 905A21F8C6 for ; Wed, 28 Jul 2021 18:04:12 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 8C05D399E038 for ; Wed, 28 Jul 2021 18:04:11 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8C05D399E038 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1627495451; bh=AaCRJFwO3SxxvHk5ojVhvjXGNSvbHJWMX1k5suEe3wE=; h=To:Subject:References:Date:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=xY9HwkByLG4PtnkDm6bnwo1CJcviqY6qS90fxwHt+NT0UTTY1+QTOskS83yr2FLnl RtPk+LlYa7WzJtU2Qnf0c+nCFUW/R26vREj3/mX9FbIMfDHiSXPhOiaJj2+V9iz8U/ 8l7d30124/QMSL3yhs+8pChaLAadfiYSeZ90T/tY= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTP id 7685739A3C14 for ; Wed, 28 Jul 2021 18:03:51 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 7685739A3C14 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-196-E2Ort41WPlCMRvsFJG5w5Q-1; Wed, 28 Jul 2021 14:03:49 -0400 X-MC-Unique: E2Ort41WPlCMRvsFJG5w5Q-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 21EFB190B2A0 for ; Wed, 28 Jul 2021 18:03:49 +0000 (UTC) Received: from oldenburg.str.redhat.com (ovpn-112-7.ams2.redhat.com [10.36.112.7]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4922A104327D; Wed, 28 Jul 2021 18:03:48 +0000 (UTC) To: Robbie Harwood via Libc-alpha Subject: Re: [PATCH v1] nis: Fix leak on realloc failure in nis_getnames References: Date: Wed, 28 Jul 2021 20:03:46 +0200 In-Reply-To: (Robbie Harwood via Libc-alpha's message of "Wed, 28 Jul 2021 13:47:03 -0400") Message-ID: <87k0la71tp.fsf@oldenburg.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Florian Weimer via Libc-alpha Reply-To: Florian Weimer Cc: Robbie Harwood Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org Sender: "Libc-alpha" * Robbie Harwood via Libc-alpha: > From 7aa0a9f879d5b2117beb06771bb4fdbaf25699a9 Mon Sep 17 00:00:00 2001 > From: Robbie Harwood > Date: Wed, 28 Jul 2021 12:54:44 -0400 > Subject: [PATCH v1] nis: Fix leak on realloc failure in nis_getnames > To: libc-alpha@sourceware.org > Cc: kukuk@suse.de > > If pos >= count but realloc fails, tmp will not have been placed in > getnames[pos] yet, and so will not be freed in free_null. Detected > by Coverity. > > Also remove misleading comment from nis_getnames(), since it actually > did properly release getnames when out of memory. > --- > nis/nis_subr.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/nis/nis_subr.c b/nis/nis_subr.c > index dd0e30071d..6784fc353f 100644 > --- a/nis/nis_subr.c > +++ b/nis/nis_subr.c > @@ -103,9 +103,6 @@ count_dots (const_nis_name str) > return count; > } > > -/* If we run out of memory, we don't give already allocated memory > - free. The overhead for bringing getnames back in a safe state to > - free it is to big. */ > nis_name * > nis_getnames (const_nis_name name) > { > @@ -271,7 +268,10 @@ nis_getnames (const_nis_name name) > nis_name *newp = realloc (getnames, > (count + 1) * sizeof (char *)); > if (__glibc_unlikely (newp == NULL)) > - goto free_null; > + { > + free (tmp); > + goto free_null; > + } > getnames = newp; > } > getnames[pos] = tmp; The patch looks correct to me. (There some similar code above, but it is already correct because the tmp ownership transfer is different.) Would you please open a bug in Bugzilla and reference it in the commit message. I don't think we need to treat this as a security vulnerability (denial of service) because since bug only happens after a memory allocation failure, and at that point, the service is already denied, so to speak. Thanks, Florian