[8/9] sdp: Fix memory leak in sdp_data_alloc*()

Message ID	20240702084900.773620-9-hadess@hadess.net (mailing list archive)
State	Superseded
Headers	show Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E845514E2C2 for <linux-bluetooth@vger.kernel.org>; Tue, 2 Jul 2024 08:49:10 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [PATCH 8/9] sdp: Fix memory leak in sdp_data_alloc*() Date: Tue, 2 Jul 2024 10:47:23 +0200 Message-ID: <20240702084900.773620-9-hadess@hadess.net> In-Reply-To: <20240702084900.773620-1-hadess@hadess.net> References: <20240702084900.773620-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #4 \| expand [0/9] Fix a number of static analysis issues #4 [1/9] main: Simplify parse_config_string() [2/9] avdtp: Fix manipulating struct as an array [3/9] mesh: Avoid accessing array out-of-bounds [4/9] obexd: Fix possible memleak [5/9] obexd: Fix memory leak in entry struct [6/9] obexd: Fix leak in backup_object struct [7/9] health/mcap: Fix memory leak in mcl struct [8/9] sdp: Fix memory leak in sdp_data_alloc*() [9/9] sdp: Check memory allocation in sdp_copy_seq()

Message ID

20240702084900.773620-9-hadess@hadess.net (mailing list archive)

State

Superseded

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [PATCH 8/9] sdp: Fix memory leak in sdp_data_alloc*()
Date: Tue,  2 Jul 2024 10:47:23 +0200
Message-ID: <20240702084900.773620-9-hadess@hadess.net>
In-Reply-To: <20240702084900.773620-1-hadess@hadess.net>
References: <20240702084900.773620-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #4 | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	success	CheckPatch PASS
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 7: B1 Line exceeds max length (100>80): "bluez-5.76/lib/sdp.c:542:4: alloc_fn: Storage is returned from allocation function "sdp_data_alloc"." 8: B1 Line exceeds max length (115>80): "bluez-5.76/lib/sdp.c:542:4: var_assign: Assigning: "data" = storage returned from "sdp_data_alloc(dtd, values[i])"." 13: B1 Line exceeds max length (109>80): "bluez-5.76/lib/sdp.c:545:4: leaked_storage: Variable "seq" going out of scope leaks the storage it points to." 15: B3 Line contains hard tab characters (\t): "544\| if (!data)" 16: B3 Line contains hard tab characters (\t): "545\|-> return NULL;" 18: B3 Line contains hard tab characters (\t): "547\| if (curr)"
tedd_an/IncrementalBuild	success	Incremental Build PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

success

CheckPatch PASS

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 7: B1 Line exceeds max length (100>80): "bluez-5.76/lib/sdp.c:542:4: alloc_fn: Storage is returned from allocation function "sdp_data_alloc"." 8: B1 Line exceeds max length (115>80): "bluez-5.76/lib/sdp.c:542:4: var_assign: Assigning: "data" = storage returned from "sdp_data_alloc(dtd, values[i])"." 13: B1 Line exceeds max length (109>80): "bluez-5.76/lib/sdp.c:545:4: leaked_storage: Variable "seq" going out of scope leaks the storage it points to." 15: B3 Line contains hard tab characters (\t): "544| if (!data)" 16: B3 Line contains hard tab characters (\t): "545|-> return NULL;" 18: B3 Line contains hard tab characters (\t): "547| if (curr)"

tedd_an/IncrementalBuild

success

Incremental Build PASS

Commit Message

Bastien Nocera July 2, 2024, 8:47 a.m. UTC

Make sure to free already allocated memory if we run out of memory
before the end of the loop.

Error: RESOURCE_LEAK (CWE-772): [#def8] [important]
bluez-5.76/lib/sdp.c:542:4: alloc_fn: Storage is returned from allocation function "sdp_data_alloc".
bluez-5.76/lib/sdp.c:542:4: var_assign: Assigning: "data" = storage returned from "sdp_data_alloc(dtd, values[i])".
bluez-5.76/lib/sdp.c:550:4: var_assign: Assigning: "seq" = "data".
bluez-5.76/lib/sdp.c:552:3: var_assign: Assigning: "curr" = "data".
bluez-5.76/lib/sdp.c:553:2: out_of_scope: Variable "data" goes out of scope.
bluez-5.76/lib/sdp.c:552:3: overwrite_var: Overwriting "curr" in "curr = data".
bluez-5.76/lib/sdp.c:545:4: leaked_storage: Variable "seq" going out of scope leaks the storage it points to.
543|
544|		if (!data)
545|->			return NULL;
546|
547|		if (curr)
---
 lib/sdp.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/sdp.c b/lib/sdp.c
index 2e66505b21b8..b87951b007a3 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -513,8 +513,10 @@  sdp_data_t *sdp_seq_alloc_with_length(void **dtds, void **values, int *length,
 		else
 			data = sdp_data_alloc_with_length(dtd, values[i], length[i]);
 
-		if (!data)
+		if (!data) {
+			sdp_data_free(seq);
 			return NULL;
+		}
 
 		if (curr)
 			curr->next = data;
@@ -541,8 +543,10 @@  sdp_data_t *sdp_seq_alloc(void **dtds, void **values, int len)
 		else
 			data = sdp_data_alloc(dtd, values[i]);
 
-		if (!data)
+		if (!data) {
+			sdp_data_free(seq);
 			return NULL;
+		}
 
 		if (curr)
 			curr->next = data;