From: Greg Hudson Date: Mon, 31 Dec 2012 22:21:46 +0000 (-0500) Subject: Fix a small memory leak in util_errmap X-Git-Tag: krb5-1.12-alpha1~376 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=379d39c17b8930718e98185a5b32a0f7f3e3b4b6;p=thirdparty%2Fkrb5.git Fix a small memory leak in util_errmap Calls to gssint_mecherrmap_map_errcode would result in calling mecherror_copy with a zero-length mech OID, which would result in an OID with 0 for length and malloc(0) for elements. On platforms which return non-null from malloc(0), gssint_mecherrmap_destroy() wouldn't free the elements pointer. Avoid calling malloc(0) and don't use the length field to decide whether to free an elements pointer. --- diff --git a/src/lib/gssapi/generic/util_errmap.c b/src/lib/gssapi/generic/util_errmap.c index 9fbc9fc4ca..c26ea7b05a 100644 --- a/src/lib/gssapi/generic/util_errmap.c +++ b/src/lib/gssapi/generic/util_errmap.c @@ -79,14 +79,14 @@ static inline int mecherror_copy(struct mecherror *dest, struct mecherror src) { *dest = src; - dest->mech.elements = malloc(src.mech.length); - if (dest->mech.elements == NULL) { - if (src.mech.length) + if (src.mech.length > 0) { + dest->mech.elements = malloc(src.mech.length); + if (dest->mech.elements == NULL) return ENOMEM; - else - return 0; + memcpy(dest->mech.elements, src.mech.elements, src.mech.length); + } else { + dest->mech.elements = NULL; } - memcpy(dest->mech.elements, src.mech.elements, src.mech.length); return 0; } @@ -155,8 +155,7 @@ int gssint_mecherrmap_init(void) element storage when destroying the collection. */ static int free_one(OM_uint32 i, struct mecherror value, void *p) { - if (value.mech.length && value.mech.elements) - free(value.mech.elements); + free(value.mech.elements); return 0; } @@ -229,10 +228,8 @@ OM_uint32 gssint_mecherrmap_map(OM_uint32 minor, const gss_OID_desc * oid) } err = mecherrmap_add(&m, new_status, me_copy); k5_mutex_unlock(&mutex); - if (err) { - if (me_copy.mech.length) - free(me_copy.mech.elements); - } + if (err) + free(me_copy.mech.elements); #ifdef DEBUG fprintf(f, "%s: mapping ", __FUNCTION__); mecherror_print(me, f);