Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
Jeff King writes: > Presumably `fclose` doesn't ever overwrite errno in practice, but I > guess it could in theory. Yeah, these two patches share the same issue. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
On Thu, May 12, 2016 at 07:59:39AM +, Eric Wong wrote: > I think both patches in this series would benefit from capturing > errno before cleanup. `fclose` can call `free`, and `free` could > do any manner of things such as calling `madvise` with a flag > not implemented in the running kernel, or failing an optional > trylock without being fatal. > > There's lots of non-standard malloc implementations out there :) > > So I'm not sure if there's ever a guarantee that a non-error > function call preserves `errno`. Good point. This came up not too long ago in: http://article.gmane.org/gmane.comp.version-control.git/286460 I believe POSIX does say that non-error calls should preserve errno, but all the world is not POSIX. And a future POSIX will mandate that `free` should not touch errno, but it's not the future yet (and also, all the world's not POSIX). -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
Jeff King wrote:
> On Wed, May 11, 2016 at 04:35:46PM -0700, Junio C Hamano wrote:
> > +++ b/builtin/am.c
> > @@ -761,9 +761,11 @@ static int split_mail_conv(mail_conv_fn fn, struct
> > am_state *state,
> > mail = mkpath("%s/%0*d", state->dir, state->prec, i + 1);
> >
> > out = fopen(mail, "w");
> > - if (!out)
> > + if (!out) {
> > + fclose(in);
> > return error(_("could not open '%s' for writing: %s"),
> > mail, strerror(errno));
> > + }
>
> Presumably `fclose` doesn't ever overwrite errno in practice, but I
> guess it could in theory.
I think both patches in this series would benefit from capturing
errno before cleanup. `fclose` can call `free`, and `free` could
do any manner of things such as calling `madvise` with a flag
not implemented in the running kernel, or failing an optional
trylock without being fatal.
There's lots of non-standard malloc implementations out there :)
So I'm not sure if there's ever a guarantee that a non-error
function call preserves `errno`.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
On Thu, May 12, 2016 at 07:23:02AM +0200, Mikael Magnusson wrote:
> >> - if (!out)
> >> + if (!out) {
> >> + fclose(in);
> >> return error(_("could not open '%s' for writing:
> >> %s"),
> >> mail, strerror(errno));
> >> + }
> >
> > Presumably `fclose` doesn't ever overwrite errno in practice, but I
> > guess it could in theory.
>
> It probably does pretty often in general, but not when the file is
> opened for input only.
Right, I should have said "this fclose".
I think EBADF is the only likely error when closing input, and that's
presumably impossible here.
-Peff
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
On Thu, May 12, 2016 at 6:47 AM, Jeff King wrote:
> On Wed, May 11, 2016 at 04:35:46PM -0700, Junio C Hamano wrote:
>
>> Signed-off-by: Junio C Hamano
>> ---
>> builtin/am.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/builtin/am.c b/builtin/am.c
>> index f1a84c6..a373928 100644
>> --- a/builtin/am.c
>> +++ b/builtin/am.c
>> @@ -761,9 +761,11 @@ static int split_mail_conv(mail_conv_fn fn, struct
>> am_state *state,
>> mail = mkpath("%s/%0*d", state->dir, state->prec, i + 1);
>>
>> out = fopen(mail, "w");
>> - if (!out)
>> + if (!out) {
>> + fclose(in);
>> return error(_("could not open '%s' for writing: %s"),
>> mail, strerror(errno));
>> + }
>
> Presumably `fclose` doesn't ever overwrite errno in practice, but I
> guess it could in theory.
It probably does pretty often in general, but not when the file is
opened for input only.
--
Mikael Magnusson
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
On Wed, May 11, 2016 at 04:35:46PM -0700, Junio C Hamano wrote:
> Signed-off-by: Junio C Hamano
> ---
> builtin/am.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/builtin/am.c b/builtin/am.c
> index f1a84c6..a373928 100644
> --- a/builtin/am.c
> +++ b/builtin/am.c
> @@ -761,9 +761,11 @@ static int split_mail_conv(mail_conv_fn fn, struct
> am_state *state,
> mail = mkpath("%s/%0*d", state->dir, state->prec, i + 1);
>
> out = fopen(mail, "w");
> - if (!out)
> + if (!out) {
> + fclose(in);
> return error(_("could not open '%s' for writing: %s"),
> mail, strerror(errno));
> + }
Presumably `fclose` doesn't ever overwrite errno in practice, but I
guess it could in theory.
I also found it weird that we might fclose(stdin) via this line, but
that matches what happens in the non-error path, so I guess it's OK?
-Peff
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
