#187 memory leak in ipcname_gettotal() path

default
closed-fixed
John Hughes
IPC (12)
5
2010-03-13
2009-03-28
Roger Tsang
No

Discussion

  • Roger Tsang
    Roger Tsang
    2009-03-28

    fix attached

     
  • Roger Tsang
    Roger Tsang
    2009-03-28

    • status: open --> open-accepted
     
  • Roger Tsang
    Roger Tsang
    2009-04-28

    There is also a memory corruption bug in this path.
    When doing RPC the length of the struct node_id_pairs buffer is incorrect.

    --- linux.orig/cluster/ssi/ipc/namesvr_clnt.c
    +++ linux/cluster/ssi/ipc/namesvr_clnt.c
    @@ -188,7 +188,7 @@ again:
    {
    clusternode_t server_node;
    - int status, rval, len = 0;
    + int rval;
    extern clms_key_svc_t ipc_key_service;
    again:
    server_node = name_server_node;
    @@ -203,13 +203,12 @@ again:
    rval = ipcname_gettotal(service, *node_id_pairs, sz);
    } else {
    ssi_procstate_t pstate;
    + int status, count = *sz;

    - if (*sz > 0)
    - len = *sz * sizeof(struct ssi_nodeid_pair);
    ssi_procstate_get(&pstate);

    - node_id_pairs, &len, sz);
    + node_id_pairs, &count, sz);
    if (status == -EAGAIN || status == -EREMOTE) {
    /* Server is doing failover,dying, or isn't ready yet.*/
    clms_waitfor_key_service(0);
    Index: linux/cluster/ssi/ipc/namesvr_svr.c
    ===================================================================
    @@ -88,34 +88,33 @@ ripc_ipcname_getid(clusternode_t *node,
    */
    void
    - int *len, int *sz)
    + ssi_procstate_t *pstate,
    + struct ssi_nodeid_pair **node_id_pairs, int *count,
    + int *sz)
    {
    ssi_procstate_t save_pstate;
    - int count = *sz;

    if (ipcname_failover_flag) {
    *rval = -EAGAIN;
    return;
    }

    - *len = 0;
    ssi_procstate_get(&save_pstate);
    ssi_procstate_set(pstate);
    - if (count > 0) {
    - if (*node_id_pairs == NULL) {
    - *sz = 0;
    + if (*count > 0) {
    + if (!*node_id_pairs) {
    + *count = *sz = 0;
    goto done;
    }
    }

    *rval = ipcname_gettotal(service, *node_id_pairs, sz);
    - if (count > 0) {
    - if (count > *sz)
    - count = *sz;
    - *len = count * sizeof(**node_id_pairs);
    - }
    + if (!*rval) {
    + if (*count && *sz < *count)
    + *count = *sz;
    + } else
    + *count = 0;
    done:
    ssi_procstate_set(&save_pstate);
    }

     
  • Roger Tsang
    Roger Tsang
    2009-04-28

    node_id_pairs is a vector

     
  • Roger Tsang
    Roger Tsang
    2009-10-27

    • status: open-accepted --> open-fixed
     
  • Roger Tsang
    Roger Tsang
    2009-10-27

    checked-in

     
  • Roger Tsang
    Roger Tsang
    2010-03-13

    • status: open-fixed --> closed-fixed