[smartmontools-support] memory corruption problem on NetBSD
Christian Franke
Christian.Franke at t-online.de
Tue Jun 11 21:44:56 CEST 2019
Alexander Nasonov wrote:
> netbsd_smart_interface::get_dev_names() doesn't return a failure
> early when no devices match a prefix (n == 0) and leads to a memory
> corruption later. The patch below fixes this problem.
>
Thanks for the patch. Did you actually see any memory corruption (or
crash) ?
The (n==0) check is missing since very first checkin of the NetBSD port
15+ years ago:
https://www.smartmontools.org/browser/trunk/sm5/os_netbsd.c?rev=1434
Note that realloc(mp, 0) calls free(mp). The return value is
implementation specific. If NULL is returned, a double free(mp) occurs.
But on NetBSD, this is only the case if SysV realloc semantics is
selected (export MALLOC_OPTIONS=V).
Otherwise, realloc(mp, 0) returns a non-NULL pointer to unusable memory
and no memory corruption should occur.
See: http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/stdlib/malloc.c
> n++;
> }
>
> + if (n == 0)
> + return -1;
> +
> char ** tmp = (char **)realloc(mp, n * (sizeof(char *)));
- Returning -1 aborts any device scanning for other types.
- Skipping realloc() produces a memory leak.
And BTW, there is a very old memory leak: disknames
This leads to this patch (not actually tested):
n++;
}
+ free(disknames);
+ if (n == 0) {
+ free(mp);
+ return 0;
+ }
+
char ** tmp = (char **)realloc(mp, n * (sizeof(char *)));
Regards,
Christian
More information about the Smartmontools-support
mailing list