From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 17 Apr 2026 13:52:18 +0000 (+0900)
Subject: iovec-wrapper: fix memleak in iovw_consume() when len == 0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce81c7dd74637e297c4f493533863c996d0ebd39;p=thirdparty%2Fsystemd.git

iovec-wrapper: fix memleak in iovw_consume() when len == 0

This makes even when len == 0, the input buffer is freed.
The behavior is consistent with strv_consume() and friends.
---

diff --git a/src/basic/iovec-wrapper.c b/src/basic/iovec-wrapper.c
index a4604f9a3cb..2b302b96ab0 100644
--- a/src/basic/iovec-wrapper.c
+++ b/src/basic/iovec-wrapper.c
@@ -38,7 +38,7 @@ int iovw_put(struct iovec_wrapper *iovw, void *data, size_t len) {
                 return -ENOMEM;
 
         iovw->iovec[iovw->count++] = IOVEC_MAKE(data, len);
-        return 0;
+        return 1;
 }
 
 int iovw_consume(struct iovec_wrapper *iovw, void *data, size_t len) {
@@ -46,7 +46,7 @@ int iovw_consume(struct iovec_wrapper *iovw, void *data, size_t len) {
         int r;
 
         r = iovw_put(iovw, data, len);
-        if (r < 0)
+        if (r <= 0)
                 free(data);
 
         return r;
diff --git a/src/test/test-iovec-wrapper.c b/src/test/test-iovec-wrapper.c
index 35b93965722..1f4585a129f 100644
--- a/src/test/test-iovec-wrapper.c
+++ b/src/test/test-iovec-wrapper.c
@@ -38,7 +38,7 @@ TEST(iovw_append) {
         ASSERT_EQ(memcmp(iovw.iovec[0].iov_base, "one", 3), 0);
 
         /* Insert with a NUL */
-        ASSERT_OK_ZERO(iovw_append(&iovw, buf, 4));
+        ASSERT_OK(iovw_append(&iovw, buf, 4));
         ASSERT_EQ(iovw.count, 2U);
         ASSERT_EQ(iovw.iovec[1].iov_len, 4U);
         ASSERT_EQ(memcmp(iovw.iovec[1].iov_base, "one\0", 4), 0);
@@ -58,10 +58,9 @@ TEST(iovw_consume) {
         /* iovw_consume moves ownership in place, no copy */
         ASSERT_PTR_EQ(iovw.iovec[0].iov_base, p);
 
-        /* Zero-length: iovw_put returns 0 without adding anything, and does not free the payload.
-         * Confirm by strdup'ing something and explicitly freeing it afterwards. */
-        _cleanup_free_ char *q = strdup("");
-        ASSERT_NOT_NULL(q);
+        /* Zero-length: iovw_put returns 0 without adding anything. Even in that case, iovw_consume() frees
+         * the payload. Confirm by strdup'ing something to verify that when running with sanitizer/valgrind. */
+        char *q = ASSERT_NOT_NULL(strdup(""));
         ASSERT_OK_ZERO(iovw_consume(&iovw, q, 0));
         ASSERT_EQ(iovw.count, 1U);
 }