possible memory leak in commands/nand.c?

Sascha Hauer s.hauer at pengutronix.de
Mon Dec 21 03:45:59 EST 2009


On Sun, Dec 20, 2009 at 02:33:11PM -0500, Robert P. J. Day wrote:
> 
>   once again, perhaps i'm just misreading this but consider this code
> from commands/nand.c, noting the two early calls to asprintf():
> 
> ===== begin =====
> 
>         bb = xzalloc(sizeof(*bb));
>         bb->devname = asprintf("/dev/%s", basename(path));
>         if (name)
>                 bb->cdev.name = strdup(name);
>         else
>                 bb->cdev.name = asprintf("%s.bb", basename(path));
> 
>         ret = stat(bb->devname, &s);
>         if (ret)
>                 goto free_out;
> 
>         bb->raw_size = s.st_size;
> 
>         bb->fd = open(bb->devname, O_RDWR);
>         if (bb->fd < 0) {
>                 ret = -ENODEV;
>                 goto free_out;
>         }
> 
>         ret = ioctl(bb->fd, MEMGETINFO, &bb->info);
>         if (ret)
>                 goto free_out;
> 
>         nand_bb_calc_size(bb);
>         bb->cdev.ops = &nand_bb_ops;
>         bb->cdev.priv = bb;
> 
>         devfs_create(&bb->cdev);
> 
>         return 0;
> 
> free_out:
>         free(bb);
>         return ret;
> 
> ===== end =====
> 
>   if something in the latter part of that code fails and control jumps
> to the label "free_out", won't this code fail to free() the memory
> allocated in the two asprintf() calls?  isn't the programmer
> explicitly required to free memory allocated with asprintf() or
> vasprintf() calls?

Yes, indeed, that's a memory hole here. The following should fix this.
Thanks for noting.

Sascha




More information about the barebox mailing list