Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
Jeff King writes: > Presumably `fclose` doesn't ever overwrite errno in practice, but I > guess it could in theory. Yeah, these two patches share the same issue. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
On Thu, May 12, 2016 at 07:59:39AM +, Eric Wong wrote: > I think both patches in this series would benefit from capturing > errno before cleanup. `fclose` can call `free`, and `free` could > do any manner of things such as calling `madvise` with a flag > not implemented in the running kernel, or failing an optional > trylock without being fatal. > > There's lots of non-standard malloc implementations out there :) > > So I'm not sure if there's ever a guarantee that a non-error > function call preserves `errno`. Good point. This came up not too long ago in: http://article.gmane.org/gmane.comp.version-control.git/286460 I believe POSIX does say that non-error calls should preserve errno, but all the world is not POSIX. And a future POSIX will mandate that `free` should not touch errno, but it's not the future yet (and also, all the world's not POSIX). -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
Jeff King wrote: > On Wed, May 11, 2016 at 04:35:46PM -0700, Junio C Hamano wrote: > > +++ b/builtin/am.c > > @@ -761,9 +761,11 @@ static int split_mail_conv(mail_conv_fn fn, struct > > am_state *state, > > mail = mkpath("%s/%0*d", state->dir, state->prec, i + 1); > > > > out = fopen(mail, "w"); > > - if (!out) > > + if (!out) { > > + fclose(in); > > return error(_("could not open '%s' for writing: %s"), > > mail, strerror(errno)); > > + } > > Presumably `fclose` doesn't ever overwrite errno in practice, but I > guess it could in theory. I think both patches in this series would benefit from capturing errno before cleanup. `fclose` can call `free`, and `free` could do any manner of things such as calling `madvise` with a flag not implemented in the running kernel, or failing an optional trylock without being fatal. There's lots of non-standard malloc implementations out there :) So I'm not sure if there's ever a guarantee that a non-error function call preserves `errno`. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
On Thu, May 12, 2016 at 07:23:02AM +0200, Mikael Magnusson wrote: > >> - if (!out) > >> + if (!out) { > >> + fclose(in); > >> return error(_("could not open '%s' for writing: > >> %s"), > >> mail, strerror(errno)); > >> + } > > > > Presumably `fclose` doesn't ever overwrite errno in practice, but I > > guess it could in theory. > > It probably does pretty often in general, but not when the file is > opened for input only. Right, I should have said "this fclose". I think EBADF is the only likely error when closing input, and that's presumably impossible here. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
On Thu, May 12, 2016 at 6:47 AM, Jeff King wrote: > On Wed, May 11, 2016 at 04:35:46PM -0700, Junio C Hamano wrote: > >> Signed-off-by: Junio C Hamano >> --- >> builtin/am.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/builtin/am.c b/builtin/am.c >> index f1a84c6..a373928 100644 >> --- a/builtin/am.c >> +++ b/builtin/am.c >> @@ -761,9 +761,11 @@ static int split_mail_conv(mail_conv_fn fn, struct >> am_state *state, >> mail = mkpath("%s/%0*d", state->dir, state->prec, i + 1); >> >> out = fopen(mail, "w"); >> - if (!out) >> + if (!out) { >> + fclose(in); >> return error(_("could not open '%s' for writing: %s"), >> mail, strerror(errno)); >> + } > > Presumably `fclose` doesn't ever overwrite errno in practice, but I > guess it could in theory. It probably does pretty often in general, but not when the file is opened for input only. -- Mikael Magnusson -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] am: plug FILE * leak in split_mail_conv()
On Wed, May 11, 2016 at 04:35:46PM -0700, Junio C Hamano wrote: > Signed-off-by: Junio C Hamano > --- > builtin/am.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/builtin/am.c b/builtin/am.c > index f1a84c6..a373928 100644 > --- a/builtin/am.c > +++ b/builtin/am.c > @@ -761,9 +761,11 @@ static int split_mail_conv(mail_conv_fn fn, struct > am_state *state, > mail = mkpath("%s/%0*d", state->dir, state->prec, i + 1); > > out = fopen(mail, "w"); > - if (!out) > + if (!out) { > + fclose(in); > return error(_("could not open '%s' for writing: %s"), > mail, strerror(errno)); > + } Presumably `fclose` doesn't ever overwrite errno in practice, but I guess it could in theory. I also found it weird that we might fclose(stdin) via this line, but that matches what happens in the non-error path, so I guess it's OK? -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html