[Bug nis/28150] New: nis: nis_getnames can leak on realloc failure

[Bug nis/28150] New: nis: nis_getnames can leak on realloc failure

[rharwood at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28150

            Bug ID: 28150
           Summary: nis: nis_getnames can leak on realloc failure
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: minor
          Priority: P2
         Component: nis
          Assignee: unassigned at sourceware dot org
          Reporter: rharwood at redhat dot com
                CC: kukuk at suse dot de
  Target Milestone: ---

If realloc fails when size >= pos, tmp has not been placed in getnames and so
will not be released.  Since this requires an allocation failure, it's unlikely
to matter in practice.

Reported by Coverity while inspecting libnsl, the full trace is:

libnsl-1.3.0/src/nisplus/nis_subr.c:243: alloc_fn: Storage is returned from
allocation function "malloc".
libnsl-1.3.0/src/nisplus/nis_subr.c:243: var_assign: Assigning: "tmp" = storage
returned from "malloc(cplen + local_domain_len + name_len + 2UL)".
libnsl-1.3.0/src/nisplus/nis_subr.c:247: identity_transfer: Passing "tmp" as
argument 1 to function "stpcpy", which returns an offset off that argument.
[Note: The source code implementation of the function has been overridden by a
builtin model.]
libnsl-1.3.0/src/nisplus/nis_subr.c:247: noescape: Resource "tmp" is not freed
or pointed-to in "stpcpy". [Note: The source code implementation of the
function has been overridden by a builtin model.]
libnsl-1.3.0/src/nisplus/nis_subr.c:247: var_assign: Assigning: "p" = storage
returned from "stpcpy(tmp, name)".
libnsl-1.3.0/src/nisplus/nis_subr.c:249: identity_transfer: Passing "p" as
argument 1 to function "mempcpy", which returns an offset off that argument.
[Note: The source code implementation of the function has been overridden by a
builtin model.]
libnsl-1.3.0/src/nisplus/nis_subr.c:249: noescape: Resource "p" is not freed or
pointed-to in "mempcpy". [Note: The source code implementation of the function
has been overridden by a builtin model.]
libnsl-1.3.0/src/nisplus/nis_subr.c:249: var_assign: Assigning: "p" = storage
returned from "mempcpy(p, cp, cplen)".
libnsl-1.3.0/src/nisplus/nis_subr.c:253: noescape: Resource "p" is not freed or
pointed-to in "stpcpy". [Note: The source code implementation of the function
has been overridden by a builtin model.]
libnsl-1.3.0/src/nisplus/nis_subr.c:254: leaked_storage: Variable "p" going out
of scope leaks the storage it points to.
libnsl-1.3.0/src/nisplus/nis_subr.c:277: leaked_storage: Variable "tmp" going
out of scope leaks the storage it points to.
#  275|                                         (count + 1) * sizeof (char *));
#  276|               if (newp == NULL)
#  277|->               goto free_null;
#  278|               getnames = newp;
#  279|             }

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nis/28150] nis: nis_getnames can leak on realloc failure

[rharwood at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28150

--- Comment #1 from Robbie Harwood <rharwood at redhat dot com> ---
(My proposed fix for this is
https://sourceware.org/pipermail/libc-alpha/2021-July/129573.html )

-- 
You are receiving this mail because:
You are on the CC list for the bug.