Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[checker] nmap: memory leak in nsock_printf

From: Ted Kremenek <kremenek () cs stanford edu>
Date: Tue, 2 May 2006 01:09:01 -0700
Hello,

I am a researcher at Stanford University working on static analysis  
techniques for bug finding.  My tool has discovered a potential  
memory leak in nmap:

file: nsock/src/nsock_write.c
function: nsock_printf

Summary: buf2, when allocated at line 131, appears to always be leaked
Suggested fix: add code at end of function to free buf2 (checking  
first that buf2 != buf)

Cheers,
Ted

------------------------------------------------------------------------ 
-----------------------------

/* Same as nsock_write except you can use a printf-style format and  
you can only use this for ASCII strings */
nsock_event_id nsock_printf(nsock_pool ms_pool, nsock_iod ms_iod,
                      nsock_ev_handler handler, int timeout_msecs,
                      void *userdata, char *format, ... ) {


[ SNIP ]

   if (res != -1) {
     if (res > sizeof(buf)) {

==> LINE 131: memory allocated here and stored in buf2
       buf2 = (char * ) safe_malloc(res + 16);

       res2 = vsnprintf(buf2, sizeof(buf), format, ap);
       if (res2 == -1 || res2 > res) {
        free(buf2);
        buf2 = NULL;
       } else strlength = res2;
     } else {
       buf2 = buf;
       strlength = res;
     }
   }

=> buf2 != NULL, so we take the false branch

   if (!buf2) {
     nse->event_done = 1;
     nse->status = NSE_STATUS_ERROR;
     nse->errnum = EMSGSIZE;
   } else {
     if (strlength == 0) {
       nse->event_done = 1;
       nse->status = NSE_STATUS_SUCCESS;
     } else {

=> buf2 passed to fscat, which does not free buf2

       fscat(&nse->iobuf, buf2, strlength);
     }
   }

   if (nsp->tracelevel > 0) {

=> assuming
     if (nsp->tracelevel > 1 && nse->status != NSE_STATUS_ERROR &&  
strlength < 80) {
       memcpy(displaystr, ": ", 2);
       memcpy(displaystr + 2, buf2, strlength);

=> buf2 is no longer used after this point, buf2 is LEAKED

[SNIP]

}




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: