#1237 only free if sure data has been allocated
Closed: Fixed None Opened 7 years ago by jhrozek.

78        do {
 79            ret = _sss_getautomntent_r(&key, &value, ctx);
At conditional (2): "ret == 0" taking the true branch.
 80            if (ret == 0) {
CID 12583: Use after free (USE_AFTER_FREE) [select defect]
CID 12584: Use after free (USE_AFTER_FREE)Passing freed pointer "value" as an argument to function "printf".
 81                printf("key: %s\t\tvalue: %s\n", key, value);
 82            }
CID 12583: Double free (USE_AFTER_FREE) [select defect]
 83            free(key);
CID 12584: Double free (USE_AFTER_FREE) [select defect]
"free" frees "value".
 84            free(value);
At conditional (1): "ret == 0" taking the true branch.
 85        } while(ret == 0);

We should move the "free" calls to the "if (ret == 0)" branch only.

Setting priority to trivial - this only affects the test CLI tool.


Fields changed

keywords: => Coverity

Fields changed

component: SSSD => AutoFS Responder
owner: somebody => jhrozek
patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.8.1 (LTM)
rhbz: => 0

resolution: => fixed
status: new => closed

These two issues are still being reported by Coverity scans:

75    if (!pc_key) {
 76        key = NULL;
 77        value = NULL;
 78        do {
 79            ret = _sss_getautomntent_r(&key, &value, ctx);
At conditional (2): "ret == 0" taking the true branch.
 80            if (ret == 0) {
CID 12583: Use after free (USE_AFTER_FREE) [select defect]
CID 12584: Use after free (USE_AFTER_FREE)Passing freed pointer "value" as an argument to function "printf".
 81                printf("key: %s\t\tvalue: %s\n", key, value);
 82                free(key);
"free" frees "value".
 83                free(value);
 84            }
At conditional (1): "ret == 0" taking the true branch.
 85        } while(ret == 0);
 86
 87        if (ret != 0 && ret != ENOENT) {
 88            fprintf(stderr, "getautomntent_r failed [%d]: %s\n",
 89                    ret, strerror(ret));
 90            exit(EXIT_FAILURE);
 91        }

and

75    if (!pc_key) {
 76        key = NULL;
 77        value = NULL;
 78        do {
 79            ret = _sss_getautomntent_r(&key, &value, ctx);
At conditional (2): "ret == 0" taking the true branch.
 80            if (ret == 0) {
CID 12584: Use after free (USE_AFTER_FREE) [select defect]
CID 12583: Use after free (USE_AFTER_FREE)Passing freed pointer "key" as an argument to function "printf".
 81                printf("key: %s\t\tvalue: %s\n", key, value);
"free" frees "key".
 82                free(key);
 83                free(value);
 84            }
At conditional (1): "ret == 0" taking the true branch.
 85        } while(ret == 0);
 86
 87        if (ret != 0 && ret != ENOENT) {
 88            fprintf(stderr, "getautomntent_r failed [%d]: %s\n",
 89                    ret, strerror(ret));
 90            exit(EXIT_FAILURE);
 91        }

resolution: fixed =>
status: closed => reopened

Fields changed

milestone: SSSD 1.8.1 (LTM) => SSSD 1.8.2 (LTM)

Fields changed

status: reopened => new

A second attempt is one the list.

status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.8.2 (LTM)

2 years ago

Login to comment on this ticket.

Metadata