[smartmontools-support] memory corruption problem on NetBSD

Christian Franke Christian.Franke at t-online.de
Tue Jun 11 21:44:56 CEST 2019


Alexander Nasonov wrote:
> netbsd_smart_interface::get_dev_names()  doesn't return a failure
> early when no devices match a prefix (n == 0) and leads to a memory
> corruption later. The patch below fixes this problem.
>

Thanks for the patch. Did you actually see any memory corruption (or 
crash) ?

The (n==0) check is missing since very first checkin of the NetBSD port 
15+ years ago:
https://www.smartmontools.org/browser/trunk/sm5/os_netbsd.c?rev=1434

Note that realloc(mp, 0) calls free(mp). The return value is 
implementation specific. If NULL is returned, a double free(mp) occurs.
But on NetBSD, this is only the case if SysV realloc semantics is 
selected (export MALLOC_OPTIONS=V).
Otherwise, realloc(mp, 0) returns a non-NULL pointer to unusable memory 
and no memory corruption should occur.
See: http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/stdlib/malloc.c


>       n++;
>     }
>   
> +  if (n == 0)
> +    return -1;
> +
>     char ** tmp = (char **)realloc(mp, n * (sizeof(char *)));

- Returning -1 aborts any device scanning for other types.
- Skipping realloc() produces a memory leak.

And BTW, there is a very old memory leak: disknames

This leads to this patch (not actually tested):

      n++;
    }
+  free(disknames);

+  if (n == 0) {
+    free(mp);
+    return 0;
+  }
+
    char ** tmp = (char **)realloc(mp, n * (sizeof(char *)));

Regards,
Christian




More information about the Smartmontools-support mailing list