Nmap Development mailing list archives
[checker] nmap: memory leak in nsock_printf
From: Ted Kremenek <kremenek () cs stanford edu>
Date: Tue, 2 May 2006 01:09:01 -0700
Hello, I am a researcher at Stanford University working on static analysis techniques for bug finding. My tool has discovered a potential memory leak in nmap: file: nsock/src/nsock_write.c function: nsock_printf Summary: buf2, when allocated at line 131, appears to always be leaked Suggested fix: add code at end of function to free buf2 (checking first that buf2 != buf) Cheers, Ted ------------------------------------------------------------------------ ----------------------------- /* Same as nsock_write except you can use a printf-style format and you can only use this for ASCII strings */ nsock_event_id nsock_printf(nsock_pool ms_pool, nsock_iod ms_iod, nsock_ev_handler handler, int timeout_msecs, void *userdata, char *format, ... ) { [ SNIP ] if (res != -1) { if (res > sizeof(buf)) { ==> LINE 131: memory allocated here and stored in buf2 buf2 = (char * ) safe_malloc(res + 16); res2 = vsnprintf(buf2, sizeof(buf), format, ap); if (res2 == -1 || res2 > res) { free(buf2); buf2 = NULL; } else strlength = res2; } else { buf2 = buf; strlength = res; } } => buf2 != NULL, so we take the false branch if (!buf2) { nse->event_done = 1; nse->status = NSE_STATUS_ERROR; nse->errnum = EMSGSIZE; } else { if (strlength == 0) { nse->event_done = 1; nse->status = NSE_STATUS_SUCCESS; } else { => buf2 passed to fscat, which does not free buf2 fscat(&nse->iobuf, buf2, strlength); } } if (nsp->tracelevel > 0) { => assuming if (nsp->tracelevel > 1 && nse->status != NSE_STATUS_ERROR && strlength < 80) { memcpy(displaystr, ": ", 2); memcpy(displaystr + 2, buf2, strlength); => buf2 is no longer used after this point, buf2 is LEAKED [SNIP] } _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- [checker] nmap: memory leak in nsock_printf Ted Kremenek (May 02)
- Re: [checker] nmap: memory leak in nsock_printf Fyodor (May 02)
- Re: [checker] nmap: memory leak in nsock_printf Ted Kremenek (May 02)
- Re: [checker] nmap: memory leak in nsock_printf Fyodor (May 02)