[PATCH] iw: Fix memory leak if nla_put fails
From 80c956f15edfe4f59a6c13ae8ad08bea0b78aafc Mon Sep 17 00:00:00 2001 From: Amit Khatri Date: Sat, 7 Nov 2015 17:00:47 +0530 Subject: [PATCH] Fix memory leak if nla_put fails Signed-off-by: Amit Khatri Signed-off-by: Amit Khatri Signed-off-by: Ashutosh Kaushik avoid memory leak because of nla_put_failure --- coalesce.c | 7 ++- wowlan.c | 28 ++-- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/coalesce.c b/coalesce.c index 36dcaef..9b13ab3 100644 --- a/coalesce.c +++ b/coalesce.c @@ -124,7 +124,8 @@ static int handle_coalesce_enable(struct nl80211_state *state, nla_nest_end(msg, nl_pat); free(mask); free(pat); - + pat=NULL; + mask=NULL; if (!next_pat) break; cur_pat = next_pat; @@ -155,6 +156,10 @@ static int handle_coalesce_enable(struct nl80211_state *state, err = 1; goto close; nla_put_failure: + if(pat) + free(pat); + if(mask) + free(mask); err = -ENOBUFS; close: fclose(f); diff --git a/wowlan.c b/wowlan.c index c30eab7..2e1d43d 100644 --- a/wowlan.c +++ b/wowlan.c @@ -89,7 +89,10 @@ static int wowlan_parse_tcp_file(struct nl_msg *msg, const char *fn) if (!pkt) goto close; - NLA_PUT(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD, len, pkt); + if(nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD, len, pkt) < 0){ + free(pkt); + goto nla_put_failure; + } free(pkt); } else if (strncmp(buf, "data.interval=", 14) == 0) { NLA_PUT_U32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL, @@ -97,13 +100,20 @@ static int wowlan_parse_tcp_file(struct nl_msg *msg, const char *fn) } else if (strncmp(buf, "wake=", 5) == 0) { unsigned char *pat, *mask; size_t patlen; - if (parse_hex_mask(buf + 5, &pat, &patlen, &mask)) goto close; - NLA_PUT(msg, NL80211_WOWLAN_TCP_WAKE_MASK, - DIV_ROUND_UP(patlen, 8), mask); - NLA_PUT(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD, - patlen, pat); + if(nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK, + DIV_ROUND_UP(patlen, 8), mask) < 0){ + free(mask); + free(pat); + goto nla_put_failure; + } + if(nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD, + patlen, pat) < 0){ + free(pat); + free(mask); + goto nla_put_failure; + } free(mask); free(pat); } else if (strncmp(buf, "data.seq=", 9) == 0) { @@ -299,6 +309,8 @@ static int handle_wowlan_enable(struct nl80211_state *state, nla_nest_end(patterns, pattern); free(mask); free(pat); + pat=NULL; + mask=NULL; break; } argv++; @@ -312,6 +324,10 @@ static int handle_wowlan_enable(struct nl80211_state *state, nla_nest_end(msg, wowlan); err = 0; nla_put_failure: + if(pat) + free(pat); + if(mask) + free(mask); nlmsg_free(patterns); return err; } -- 1.9.1 N�r��yb�X��ǧv�^�){.n�+{��*ޕ�,�{ay�ʇڙ�,j��f���h���z��w��� ���j:+v���w�j�mzZ+�ݢj"��!�i
[PATCH] iw: Fix memory leak if nla_put fails
From 80c956f15edfe4f59a6c13ae8ad08bea0b78aafc Mon Sep 17 00:00:00 2001 From: Amit Khatri Date: Sat, 7 Nov 2015 17:00:47 +0530 Subject: [PATCH] Fix memory leak if nla_put fails Signed-off-by: Amit Khatri Signed-off-by: Rahul Jain Signed-off-by: Ashutosh Kaushik avoid memory leak because of nla_put_failure --- coalesce.c | 7 ++- wowlan.c | 28 ++-- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/coalesce.c b/coalesce.c index 36dcaef..9b13ab3 100644 --- a/coalesce.c +++ b/coalesce.c @@ -124,7 +124,8 @@ static int handle_coalesce_enable(struct nl80211_state *state, nla_nest_end(msg, nl_pat); free(mask); free(pat); - + pat=NULL; + mask=NULL; if (!next_pat) break; cur_pat = next_pat; @@ -155,6 +156,10 @@ static int handle_coalesce_enable(struct nl80211_state *state, err = 1; goto close; nla_put_failure: + if(pat) + free(pat); + if(mask) + free(mask); err = -ENOBUFS; close: fclose(f); diff --git a/wowlan.c b/wowlan.c index c30eab7..2e1d43d 100644 --- a/wowlan.c +++ b/wowlan.c @@ -89,7 +89,10 @@ static int wowlan_parse_tcp_file(struct nl_msg *msg, const char *fn) if (!pkt) goto close; - NLA_PUT(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD, len, pkt); + if(nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD, len, pkt) < 0){ + free(pkt); + goto nla_put_failure; + } free(pkt); } else if (strncmp(buf, "data.interval=", 14) == 0) { NLA_PUT_U32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL, @@ -97,13 +100,20 @@ static int wowlan_parse_tcp_file(struct nl_msg *msg, const char *fn) } else if (strncmp(buf, "wake=", 5) == 0) { unsigned char *pat, *mask; size_t patlen; - if (parse_hex_mask(buf + 5, &pat, &patlen, &mask)) goto close; - NLA_PUT(msg, NL80211_WOWLAN_TCP_WAKE_MASK, - DIV_ROUND_UP(patlen, 8), mask); - NLA_PUT(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD, - patlen, pat); + if(nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK, + DIV_ROUND_UP(patlen, 8), mask) < 0){ + free(mask); + free(pat); + goto nla_put_failure; + } + if(nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD, + patlen, pat) < 0){ + free(pat); + free(mask); + goto nla_put_failure; + } free(mask); free(pat); } else if (strncmp(buf, "data.seq=", 9) == 0) { @@ -299,6 +309,8 @@ static int handle_wowlan_enable(struct nl80211_state *state, nla_nest_end(patterns, pattern); free(mask); free(pat); + pat=NULL; + mask=NULL; break; } argv++; @@ -312,6 +324,10 @@ static int handle_wowlan_enable(struct nl80211_state *state, nla_nest_end(msg, wowlan); err = 0; nla_put_failure: + if(pat) + free(pat); + if(mask) + free(mask); nlmsg_free(patterns); return err; } -- 1.9.1 N�r��yb�X��ǧv�^�){.n�+{��*ޕ�,�{ay�ʇڙ�,j��f���h���z��w��� ���j:+v���w�j�mzZ+�ݢj"��!�i
[PATCH 1/3] iw: check nlmsg_allocation
In case of memory allocation failure by nlmsg_alloc() cqm will pass to NLA_PUT_U32. it should not happen Signed-off-by: Amit Khatri Signed-off-by: Rahul Jain --- cqm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cqm.c b/cqm.c index 36e..412d77b 100644 --- a/cqm.c +++ b/cqm.c @@ -34,6 +34,8 @@ static int iw_cqm_rssi(struct nl80211_state *state, /* connection quality monitor attributes */ cqm = nlmsg_alloc(); + if(!cqm) + return -ENOMEM; NLA_PUT_U32(cqm, NL80211_ATTR_CQM_RSSI_THOLD, thold); NLA_PUT_U32(cqm, NL80211_ATTR_CQM_RSSI_HYST, hyst); -- 1.9.1
[PATCH 2/3] iw: Avoid NULL attr value to pass in nla_data.
value of attr may be NULL so check before passing to function. Signed-off-by: Amit Khatri Signed-off-by: Rahul Jain --- event.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/event.c b/event.c index 5fb5afc..5d0bfde 100644 --- a/event.c +++ b/event.c @@ -49,8 +49,10 @@ static void print_frame(struct print_event_args *args, struct nlattr *attr) char macbuf[6*3]; uint16_t tmp; - if (!attr) + if (!attr) { printf(" [no frame]"); + return; + } frame = nla_data(attr); len = nla_len(attr); -- 1.9.1
[PATCH 3/3] iw: Avoid possible memory leak for cb
cb got memory from nl_cb_alloc() but not doing free during error case and use same lable to go out from function. Signed-off-by: Amit Khatri Signed-off-by: Rahul Jain --- iw.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/iw.c b/iw.c index ec56736..a2c2795 100644 --- a/iw.c +++ b/iw.c @@ -476,13 +476,13 @@ static int __handle_cmd(struct nl80211_state *state, enum id_input idby, err = cmd->handler(state, msg, argc, argv, idby); if (err) - goto out; + goto out_free_msg; nl_socket_set_cb(state->nl_sock, s_cb); err = nl_send_auto_complete(state->nl_sock, msg); if (err < 0) - goto out; + goto out_free_msg; err = 1; @@ -493,9 +493,9 @@ static int __handle_cmd(struct nl80211_state *state, enum id_input idby, while (err > 0) nl_recvmsgs(state->nl_sock, cb); - out: - nl_cb_put(cb); + out_free_msg: + nl_cb_put(cb); nlmsg_free(msg); return err; nla_put_failure: -- 1.9.1 N�r��yb�X��ǧv�^�){.n�+{��*ޕ�,�{ay�ʇڙ�,j��f���h���z��w��� ���j:+v���w�j�mzZ+�ݢj"��!�i
[PATCH V2] iw: Avoid possible memory leak for cb
cb got memory from nl_cb_alloc() but not doing free during error case and use same lable to go out from function. Signed-off-by: Amit Khatri Signed-off-by: Rahul Jain --- iw.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/iw.c b/iw.c index ec56736..1385441 100644 --- a/iw.c +++ b/iw.c @@ -476,13 +476,13 @@ static int __handle_cmd(struct nl80211_state *state, enum id_input idby, err = cmd->handler(state, msg, argc, argv, idby); if (err) - goto out; + goto out_free_msg; nl_socket_set_cb(state->nl_sock, s_cb); err = nl_send_auto_complete(state->nl_sock, msg); if (err < 0) - goto out; + goto out_free_msg; err = 1; @@ -493,9 +493,11 @@ static int __handle_cmd(struct nl80211_state *state, enum id_input idby, while (err > 0) nl_recvmsgs(state->nl_sock, cb); - out: - nl_cb_put(cb); out_free_msg: + if(!cb) + nl_cb_put(cb); + if(!s_cb) + nl_cb_put(s_cb); nlmsg_free(msg); return err; nla_put_failure: -- 1.9.1
[PATCH 1/4] iw:Avoid resource memory leak. free ssids and freqs memory before return
Hi Johannes, Subject: [PATCH 1/4] [iw] Avoid resource memory leak. free ssids and freqs memory before return Signed-off-by: Amit Khatri Signed-off-by: Rahul Jain --- scan.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scan.c b/scan.c index bf39f34..5483c1d 100644 --- a/scan.c +++ b/scan.c @@ -409,6 +409,8 @@ static int handle_scan(struct nl80211_state *state, break; } case DONE: + nlmsg_free(ssids); + nlmsg_free(freqs); return 1; case FREQ: freq = strtoul(argv[i], &eptr, 10); -- 1.9.1
[PATCH 2/4] iw: Avoid possible memory leak for cb. cb got memory from nl_cb_alloc() but not doing free
Hi Johannes, Subject: [PATCH 2/4] iw: Avoid possible memory leak for cb. cb got memory from nl_cb_alloc() but not doing free Signed-off-by: Amit Khatri Signed-off-by: Rahul Jain --- iw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iw.c b/iw.c index dc99566..1e913b6 100644 --- a/iw.c +++ b/iw.c @@ -477,8 +477,8 @@ static int __handle_cmd(struct nl80211_state *state, enum id_input idby, while (err > 0) nl_recvmsgs(state->nl_sock, cb); out: - nl_cb_put(cb); out_free_msg: + nl_cb_put(cb); nlmsg_free(msg); return err; nla_put_failure: -- 1.9.1
[PATCH 3/4] iw: Static analyser report that attr may be NULL so either we can remove condition check statement or add goto at end of this function.
Hi Johannes, Subject: [PATCH 3/4] iw: Static analyser report that attr may be NULL so either we can remove condition check statement or add goto at end of this function. Signed-off-by: Amit Khatri Signed-off-by: Rahul Jain --- event.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/event.c b/event.c index f73e078..06d236b 100644 --- a/event.c +++ b/event.c @@ -49,8 +49,10 @@ static void print_frame(struct print_event_args *args, struct nlattr *attr) char macbuf[6*3]; uint16_t tmp; - if (!attr) + if (!attr) { printf(" [no frame]"); + goto out; + } frame = nla_data(attr); len = nla_len(attr); @@ -97,6 +99,8 @@ static void print_frame(struct print_event_args *args, struct nlattr *attr) for (i = 0; i < len; i++) printf(" %.02x", frame[i]); printf("]"); + out: + ; /*empty statement to avoid compiler error */ } static void parse_cqm_event(struct nlattr **attrs) -- 1.9.1N�r��yb�X��ǧv�^�){.n�+{��*ޕ�,�{ay�ʇڙ�,j��f���h���z��w��� ���j:+v���w�j�mzZ+�ݢj"��!�i
[PATCH 4/4] iw:In case of memory allocation failure by nlmsg_alloc() cqm will pass to NLA_PUT_U32. it should not happen.
Hi Johannes, Subject: [PATCH 4/4] iw:In case of memory allocation failure by nlmsg_alloc() cqm will pass to NLA_PUT_U32. it should not happen. Signed-off-by: Amit Khatri Signed-off-by: Rahul Jain --- cqm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cqm.c b/cqm.c index 65876af..bf60401 100644 --- a/cqm.c +++ b/cqm.c @@ -34,6 +34,8 @@ static int iw_cqm_rssi(struct nl80211_state *state, struct nl_cb *cb, /* connection quality monitor attributes */ cqm = nlmsg_alloc(); + if(!cqm) + return -ENOMEM; NLA_PUT_U32(cqm, NL80211_ATTR_CQM_RSSI_THOLD, thold); NLA_PUT_U32(cqm, NL80211_ATTR_CQM_RSSI_HYST, hyst); -- 1.9.1
[PATCH] iw: Static analyser fixes
Hi Johannes, Subject: [PATCH] iw: Static analyser fixes Signed-off-by: Amit Khatri Signed-off-by: Rahul Jain --- cqm.c | 2 ++ event.c | 6 +- iw.c| 2 +- scan.c | 2 ++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/cqm.c b/cqm.c index 65876af..bf60401 100644 --- a/cqm.c +++ b/cqm.c @@ -34,6 +34,8 @@ static int iw_cqm_rssi(struct nl80211_state *state, struct nl_cb *cb, /* connection quality monitor attributes */ cqm = nlmsg_alloc(); + if(!cqm) + return -ENOMEM; NLA_PUT_U32(cqm, NL80211_ATTR_CQM_RSSI_THOLD, thold); NLA_PUT_U32(cqm, NL80211_ATTR_CQM_RSSI_HYST, hyst); diff --git a/event.c b/event.c index f73e078..06d236b 100644 --- a/event.c +++ b/event.c @@ -49,8 +49,10 @@ static void print_frame(struct print_event_args *args, struct nlattr *attr) char macbuf[6*3]; uint16_t tmp; - if (!attr) + if (!attr) { printf(" [no frame]"); + goto out; + } frame = nla_data(attr); len = nla_len(attr); @@ -97,6 +99,8 @@ static void print_frame(struct print_event_args *args, struct nlattr *attr) for (i = 0; i < len; i++) printf(" %.02x", frame[i]); printf("]"); + out: + ; /*empty statement to avoid compiler error */ } static void parse_cqm_event(struct nlattr **attrs) diff --git a/iw.c b/iw.c index dc99566..1e913b6 100644 --- a/iw.c +++ b/iw.c @@ -477,8 +477,8 @@ static int __handle_cmd(struct nl80211_state *state, enum id_input idby, while (err > 0) nl_recvmsgs(state->nl_sock, cb); out: - nl_cb_put(cb); out_free_msg: + nl_cb_put(cb); nlmsg_free(msg); return err; nla_put_failure: diff --git a/scan.c b/scan.c index bf39f34..5483c1d 100644 --- a/scan.c +++ b/scan.c @@ -409,6 +409,8 @@ static int handle_scan(struct nl80211_state *state, break; } case DONE: + nlmsg_free(ssids); + nlmsg_free(freqs); return 1; case FREQ: freq = strtoul(argv[i], &eptr, 10); -- 1.9.1
Re: Re: [PATCH] iw: Static analyser fixes
hi Julian, I have modified patch according to your suggestion. Subject: [PATCH] iw: Static analyser fixes Signed-off-by: Amit Khatri Signed-off-by: Rahul Jain --- cqm.c | 2 ++ event.c | 4 +++- iw.c| 2 +- scan.c | 2 ++ 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/cqm.c b/cqm.c index 65876af..bf60401 100644 --- a/cqm.c +++ b/cqm.c @@ -34,6 +34,8 @@ static int iw_cqm_rssi(struct nl80211_state *state, struct nl_cb *cb, /* connection quality monitor attributes */ cqm = nlmsg_alloc(); + if(!cqm) + return -ENOMEM; NLA_PUT_U32(cqm, NL80211_ATTR_CQM_RSSI_THOLD, thold); NLA_PUT_U32(cqm, NL80211_ATTR_CQM_RSSI_HYST, hyst); diff --git a/event.c b/event.c index f73e078..50b3b17 100644 --- a/event.c +++ b/event.c @@ -49,8 +49,10 @@ static void print_frame(struct print_event_args *args, struct nlattr *attr) char macbuf[6*3]; uint16_t tmp; - if (!attr) + if (!attr) { printf(" [no frame]"); + return; + } frame = nla_data(attr); len = nla_len(attr); diff --git a/iw.c b/iw.c index dc99566..1e913b6 100644 --- a/iw.c +++ b/iw.c @@ -477,8 +477,8 @@ static int __handle_cmd(struct nl80211_state *state, enum id_input idby, while (err > 0) nl_recvmsgs(state->nl_sock, cb); out: - nl_cb_put(cb); out_free_msg: + nl_cb_put(cb); nlmsg_free(msg); return err; nla_put_failure: diff --git a/scan.c b/scan.c index bf39f34..5483c1d 100644 --- a/scan.c +++ b/scan.c @@ -409,6 +409,8 @@ static int handle_scan(struct nl80211_state *state, break; } case DONE: + nlmsg_free(ssids); + nlmsg_free(freqs); return 1; case FREQ: freq = strtoul(argv[i], &eptr, 10); -- 1.9.1 --- Original Message --- Sender : Julian Calaby Date : Jun 30, 2015 17:59 (GMT+05:30) Title : Re: [PATCH] iw: Static analyser fixes Hi Amit, On Tue, Jun 30, 2015 at 10:17 PM, Amit Khatri wrote: > Hi Johannes, > > Subject: [PATCH] iw: Static analyser fixes > > Signed-off-by: Amit Khatri > Signed-off-by: Rahul Jain > --- > cqm.c | 2 ++ > event.c | 6 +- > iw.c| 2 +- > scan.c | 2 ++ > 4 files changed, 10 insertions(+), 2 deletions(-) > > diff --git a/event.c b/event.c > index f73e078..06d236b 100644 > --- a/event.c > +++ b/event.c > @@ -49,8 +49,10 @@ static void print_frame(struct print_event_args *args, > struct nlattr *attr) > char macbuf[6*3]; > uint16_t tmp; > > - if (!attr) > + if (!attr) { > printf(" [no frame]"); > + goto out; > + } > > frame = nla_data(attr); > len = nla_len(attr); > @@ -97,6 +99,8 @@ static void print_frame(struct print_event_args *args, > struct nlattr *attr) > for (i = 0; i < len; i++) > printf(" %.02x", frame[i]); > printf("]"); > + out: > + ; /*empty statement to avoid compiler error */ Er, why not just return in the if (!attr) block? Thanks, -- Julian Calaby Email: julian.cal...@gmail.com Profile: http://www.google.com/profiles/julian.calaby/
[PATCH] iw: Null check before accessing n_mcs variable
From: Amit Khatri Date: Thu, 24 Aug 2017 00:16:26 -0700 Subject: [PATCH] iw: Null check before accessing n_mcs variable If all cases will fail n_mcs variable fail to get any assignement and remain NULL. so better to check NULL before dereference. Signed-off-by: Amit Khatri --- bitrate.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bitrate.c b/bitrate.c index 4a026a4..3e58337 100644 --- a/bitrate.c +++ b/bitrate.c @@ -185,7 +185,8 @@ static int handle_bitrates(struct nl80211_state *state, return 1; if (tmpl < 0 || tmpl > 255) return 1; - mcs[(*n_mcs)++] = tmpl; + if(n_mcs!=NULL) + mcs[(*n_mcs)++] = tmpl; break; case S_VHT: if (*vht_argc >= VHT_ARGC_MAX) -- 1.7.9.5
[PATCH] IW: Zero or Uninitialized value of keylen passing
>From b755c8ee282abbd0008e9e7241c457662c90f2c3 Mon Sep 17 00:00:00 2001 From: Amit Khatri Date: Thu, 2 Nov 2017 15:55:16 +0530 Subject: [PATCH] IW: Zero or Uninitialized value of keylen passing In case of hexadeciaml keydata, keylen is not gettig updated and passing in NLA_PUT(msg, NL80211_KEY_DATA, keylen, keydata) as zero (becasue of local variable). This patch initilalize keylen variable in case of hexkey data. Signed-off-by: Amit Khatri --- util.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/util.c b/util.c index 25d909a..1ec0791 100644 --- a/util.c +++ b/util.c @@ -427,12 +427,14 @@ int parse_keys(struct nl_msg *msg, char **argv, int argc) switch (strlen(keydata)) { case 10: keydata = hex2bin(keydata, keybuf); + keylen = 5; case 5: NLA_PUT_U32(msg, NL80211_KEY_CIPHER, 0x000FAC01); keylen = 5; break; case 26: keydata = hex2bin(keydata, keybuf); + keylen = 13; case 13: NLA_PUT_U32(msg, NL80211_KEY_CIPHER, 0x000FAC05); keylen = 13; -- 2.7.4