lib/46456: xmalloc.c issue (after xfree(cp), cp is used in irealloc())

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/46456: xmalloc.c issue (after xfree(cp), cp is used in irealloc())
From: amolpise15%gmail.com@localhost
Date: Wed, 16 May 2012 06:25:00 +0000 (UTC)

>Number:         46456
>Category:       lib
>Synopsis:       xmalloc.c issue (after xfree(cp), cp is used in irealloc())
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 16 06:25:00 +0000 2012
>Originator:     Amol Pise
>Release:        NetBSD 5.0
>Organization:
Tata Elxsi
>Environment:
Not applicable
>Description:
I used netBSD-5 for my system and during the code observation, I have a seen in 
the  xmalloc.c the pointer "cp"  is used after xfree(cp).
How it is possible ? please see the code below

# cat src/libexec/ld.elf_so/xmalloc.c
{{{
332 static void *
333 irealloc(void *cp, size_t nbytes)
334 {
335         register u_int onb;
336         register int i;
337         union overhead *op;
338         char *res;
:
:
<snip>
358         /* avoid the copy if same size block */
359         if (i) {
360                 i = 1 << (i + 2);
361                 if (i < pagesz)
362                         i -= sizeof (*op) + RSLOP;
363                 else
364                         i += pagesz - sizeof (*op) - RSLOP;
365         }
366         if (nbytes <= onb && nbytes > i) {
367 #ifdef RCHECK
368                 op->ov_size = (nbytes + RSLOP - 1) & ~(RSLOP - 1);
369                 *(u_short *)((caddr_t)(op + 1) + op->ov_size) = RMAGIC;
370 #endif
371                 return(cp);
372         } else
373                 xfree(cp);
374         if ((res = imalloc(nbytes)) == NULL)
375                 return (NULL);
376         if (cp != res)          /* common optimization if "compacting" */
377                 memcpy(res, cp, (nbytes < onb) ? nbytes : onb);
378         return (res);
379 }
}}}

In the above code at line:373 xfree(cp) is done and at line:377 cp is used to 
copy to the result. The code is clearly wrong, this needs to be fixed.
>How-To-Repeat:
Based on code inspection 
>Fix:
Christos suggested below fix:

Index: xmalloc.c
===================================================================
RCS file: /cvsroot/src/libexec/ld.elf_so/xmalloc.c,v
retrieving revision 1.11
diff -u -u -r1.11 xmalloc.c
--- xmalloc.c   25 May 2011 14:41:46 -0000      1.11
+++ xmalloc.c   14 May 2012 16:03:13 -0000
@@ -369,12 +369,13 @@
               *(u_short *)((caddr_t)(op + 1) + op->ov_size) = RMAGIC;
 #endif
               return(cp);
-       } else
-               xfree(cp);
+       }
       if ((res = imalloc(nbytes)) == NULL)
               return (NULL);
-       if (cp != res)        /* common optimization if "compacting" */
+       if (cp != res) {      /* common optimization if "compacting" */
               memcpy(res, cp, (nbytes < onb) ? nbytes : onb);
+               xfree(cp);
+       }
       return (res);
 }

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: kern/46457: pipe2 with O_CLOEXEC craches the system
Previous by Thread: PR/46451 CVS commit: src/sys/dev/pci
Next by Thread: kern/46457: pipe2 with O_CLOEXEC craches the system
Indexes:

Home | Main Index | Thread Index | Old Index