[PATCH] D-Bus: Fix memory leak when using array of array of bytes

Angie Chinchilla angie.v.chinchilla
Fri Aug 26 16:55:29 PDT 2011 

From: Reinette Chatre <reinette.chatre at intel.com>

When parsing a dict entry which is an array of an array of bytes the entry
representing the dict entry has DBUS_TYPE_ARRAY as its type and
WPAS_DBUS_TYPE_ARRAY as its array_type. The function freeing this parsed
data incorrectly tested the entry type for WPAS_DBUS_TYPE_ARRAY while doing
no testing of this value for array_type. This results in a memory leak
whenever a D-Bus message with this type of data is parsed.

Messages affected are:
fi.w1.wpa_supplicant1.Interface.P2PDevice
	using RequestedDeviceTypes with Find method
	using SecondaryDeviceTypes or VendorExtension with P2PDeviceProperties

fi.w1.wpa_supplicant1.Group
	using WPSVendorExtensions with Properties property

All of the above messages are parsed with the same function,
wpa_dbus_dict_get_entry, so the assignment of the entry's type and
array_type is consistent. The parsed data is also consistently freed with
the same function, wpa_dbus_dict_entry_clear, so we can use the same checks
to free the data correctly.

Signed-off-by: Reinette Chatre <reinette.chatre at intel.com>
Signed-off-by: Angie Chinchilla <angie.v.chinchilla at intel.com>
---
 wpa_supplicant/dbus/dbus_dict_helpers.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/wpa_supplicant/dbus/dbus_dict_helpers.c b/wpa_supplicant/dbus/dbus_dict_helpers.c
index 4ef5c41..5f9e64a 100644
--- a/wpa_supplicant/dbus/dbus_dict_helpers.c
+++ b/wpa_supplicant/dbus/dbus_dict_helpers.c
@@ -1095,13 +1095,13 @@ void wpa_dbus_dict_entry_clear(struct wpa_dbus_dict_entry *entry)
 				os_free(entry->strarray_value[i]);
 			os_free(entry->strarray_value);
 			break;
+		case WPAS_DBUS_TYPE_BINARRAY:
+			for (i = 0; i < entry->array_len; i++)
+				wpabuf_free(entry->binarray_value[i]);
+			os_free(entry->binarray_value);
+			break;
 		}
 		break;
-	case WPAS_DBUS_TYPE_BINARRAY:
-		for (i = 0; i < entry->array_len; i++)
-			wpabuf_free(entry->binarray_value[i]);
-		os_free(entry->binarray_value);
-		break;
 	}
 
 	memset(entry, 0, sizeof(struct wpa_dbus_dict_entry));
-- 
1.7.0.4

More information about the Hostap mailing list