From: Anna Kiri Date: Mon, 8 Jun 2026 09:07:05 +0000 (+0200) Subject: mtd: fix buffer leak and fd leak in mtd_dump() X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5107ad58c6;p=thirdparty%2Fopenwrt.git mtd: fix buffer leak and fd leak in mtd_dump() Two leaks in mtd_dump(): - The buffer allocated with malloc(erasesize) is never freed before returning, leaking erasesize bytes on every call. - The pre-existing malloc-NULL early return path also leaked the just- opened fd by returning directly instead of going through cleanup. Initialize buf to NULL, route the malloc-NULL case through the existing 'out:' label, and add free(buf) on the cleanup path so both fd and buf are released consistently on every exit. Signed-off-by: Anna Kiri Link: https://github.com/openwrt/openwrt/pull/23706 Signed-off-by: Jonas Jelonek --- diff --git a/package/system/mtd/src/mtd.c b/package/system/mtd/src/mtd.c index 3a388c88104..e86582a4b40 100644 --- a/package/system/mtd/src/mtd.c +++ b/package/system/mtd/src/mtd.c @@ -367,7 +367,7 @@ mtd_dump(const char *mtd, int part_offset, int size) { int ret = 0, offset = 0; int fd; - char *buf; + char *buf = NULL; if (quiet < 2) fprintf(stderr, "Dumping %s ...\n", mtd); @@ -385,8 +385,10 @@ mtd_dump(const char *mtd, int part_offset, int size) lseek(fd, part_offset, SEEK_SET); buf = malloc(erasesize); - if (!buf) - return -1; + if (!buf) { + ret = -1; + goto out; + } do { int len = (size > erasesize) ? (erasesize) : (size); @@ -410,6 +412,7 @@ mtd_dump(const char *mtd, int part_offset, int size) } while (size > 0); out: + free(buf); close(fd); return ret; }