bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure

In function dump_xx_nlmsg(), when realloc() fails to allocate memory,
the original pointer to the buffer is overwritten with NULL. This causes
a memory leak because the previously allocated buffer becomes unreachable
without being freed.

Fixes: 7900efc19214 ("tools/bpf: bpftool: improve output format for bpftool net")
Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
Reviewed-by: Quentin Monnet <qmo@kernel.org>
Link: https://lore.kernel.org/r/20250620012133.14819-1-chenyuan_fl@163.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
index 64f958f437b01e57865f24c9bc592e5581f3cbd6..cfc6f944f7c33a05679baf9ffca31eb1269fdaf5 100644 (file)
--- a/tools/bpf/bpftool/net.c
+++ b/tools/bpf/bpftool/net.c
@@ -366,17 +366,18 @@ static int dump_link_nlmsg(void *cookie, void *msg, struct nlattr **tb)
 {
        struct bpf_netdev_t *netinfo = cookie;
        struct ifinfomsg *ifinfo = msg;
+       struct ip_devname_ifindex *tmp;
 
        if (netinfo->filter_idx > 0 && netinfo->filter_idx != ifinfo->ifi_index)
                return 0;
 
        if (netinfo->used_len == netinfo->array_len) {
-               netinfo->devices = realloc(netinfo->devices,
-                       (netinfo->array_len + 16) *
-                       sizeof(struct ip_devname_ifindex));
-               if (!netinfo->devices)
+               tmp = realloc(netinfo->devices,
+                       (netinfo->array_len + 16) * sizeof(struct ip_devname_ifindex));
+               if (!tmp)
                        return -ENOMEM;
 
+               netinfo->devices = tmp;
                netinfo->array_len += 16;
        }
        netinfo->devices[netinfo->used_len].ifindex = ifinfo->ifi_index;
@@ -395,6 +396,7 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb)
 {
        struct bpf_tcinfo_t *tcinfo = cookie;
        struct tcmsg *info = msg;
+       struct tc_kind_handle *tmp;
 
        if (tcinfo->is_qdisc) {
                /* skip clsact qdisc */
@@ -406,11 +408,12 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb)
        }
 
        if (tcinfo->used_len == tcinfo->array_len) {
-               tcinfo->handle_array = realloc(tcinfo->handle_array,
+               tmp = realloc(tcinfo->handle_array,
                        (tcinfo->array_len + 16) * sizeof(struct tc_kind_handle));
-               if (!tcinfo->handle_array)
+               if (!tmp)
                        return -ENOMEM;
 
+               tcinfo->handle_array = tmp;
                tcinfo->array_len += 16;
        }
        tcinfo->handle_array[tcinfo->used_len].handle = info->tcm_handle;