* [PATCH] win32: syslog: prevent potential realloc memory leak @ 2014-12-13 9:41 Arjun Sreedharan 2014-12-15 18:11 ` Junio C Hamano 0 siblings, 1 reply; 4+ messages in thread From: Arjun Sreedharan @ 2014-12-13 9:41 UTC (permalink / raw) To: git mailing list, Junio C Hamano use a temporary variable to free the memory in case realloc() fails. Signed-off-by: Arjun Sreedharan <arjun024@gmail.com> --- compat/win32/syslog.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/compat/win32/syslog.c b/compat/win32/syslog.c index d015e43..3409e43 100644 --- a/compat/win32/syslog.c +++ b/compat/win32/syslog.c @@ -16,7 +16,7 @@ void openlog(const char *ident, int logopt, int facility) void syslog(int priority, const char *fmt, ...) { WORD logtype; - char *str, *pos; + char *str, *str_temp, *pos; int str_len; va_list ap; @@ -43,9 +43,11 @@ void syslog(int priority, const char *fmt, ...) va_end(ap); while ((pos = strstr(str, "%1")) != NULL) { + str_temp = str; str = realloc(str, ++str_len + 1); if (!str) { warning("realloc failed: '%s'", strerror(errno)); + free(str_temp); return; } memmove(pos + 2, pos + 1, strlen(pos)); -- 1.8.1.msysgit.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] win32: syslog: prevent potential realloc memory leak 2014-12-13 9:41 [PATCH] win32: syslog: prevent potential realloc memory leak Arjun Sreedharan @ 2014-12-15 18:11 ` Junio C Hamano 2015-01-25 21:38 ` Erik Faye-Lund 0 siblings, 1 reply; 4+ messages in thread From: Junio C Hamano @ 2014-12-15 18:11 UTC (permalink / raw) To: git mailing list, Erik Faye-Lund; +Cc: Arjun Sreedharan, Mike Pape Arjun Sreedharan <arjun024@gmail.com> writes: > use a temporary variable to free the memory in case > realloc() fails. > > Signed-off-by: Arjun Sreedharan <arjun024@gmail.com> > --- > compat/win32/syslog.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/compat/win32/syslog.c b/compat/win32/syslog.c > index d015e43..3409e43 100644 > --- a/compat/win32/syslog.c > +++ b/compat/win32/syslog.c > @@ -16,7 +16,7 @@ void openlog(const char *ident, int logopt, int facility) > void syslog(int priority, const char *fmt, ...) > { > WORD logtype; > - char *str, *pos; > + char *str, *str_temp, *pos; > int str_len; > va_list ap; > > @@ -43,9 +43,11 @@ void syslog(int priority, const char *fmt, ...) > va_end(ap); > > while ((pos = strstr(str, "%1")) != NULL) { > + str_temp = str; > str = realloc(str, ++str_len + 1); > if (!str) { > warning("realloc failed: '%s'", strerror(errno)); > + free(str_temp); > return; > } Hmm, the original, 088d8802 (mingw: implement syslog, 2010-11-04), that introduced the special casing for %1, says: Syslog does not usually exist on Windows, so implement our own using Window's ReportEvent mechanism. Strings containing "%1" gets expanded into them selves by ReportEvent, resulting in an unreadable string. "%2" and above is not a problem. Unfortunately, on Windows an IPv6 address can contain "%1", so expand "%1" to "% 1" before reporting. "%%1" is also a problem for ReportEvent, but that string cannot occur in an IPv6 address. It is unclear why it says '"%2" and above is not a problem' to me. Is that because they expand to something not "an unreadable string", or is that because in the original developer's testing only "%1" was observed? It also says "%%1" is a problem, and it does not occur in an IPv6 address, but that would suggest that every time a new caller is added to syslog(), this imitation of syslog() can break, as there is nothing that says the new caller must be reporting something about an IP address. Perhaps this loop should cleanse what it passes to ReportEvent() a bit more aggressively by expanding all "%" to "%-sp" or something)? Regardless of that funny %1 business, I notice in http://msdn.microsoft.com/en-us/library/windows/desktop/aa363679%28v=vs.85%29.aspx that each element of lpStrings array that is passed to ReportEvent() is limited to 32k or so. Wouldn't it make it a lot simpler if we removed the dynamic allocation and use a fixed sized 32k buffer here (and truncate the result as necessary)? That would make the "leak" disappear automatically. Having said all that, if we were to still go with the current code structure, "str_temp" should be scoped inside the loop, as there is no need to make it available to the remainder of the function, I think. Also writing this way may make the intention more clear. while (...) { char *new_str = realloc(str, ...); if (!new_str) { free(str); return; } memmove(... to shuffle ...); And after starting to write the above, I notice that the current code around realloc may be completely bogus. It goes like this: while ((pos = strstr(str, "..."))) { str = realloc(str, ...); if (!str) { warn and bail; } memmove(pos + 1, pos + 1, ...); pos[1] = ' '; } If realloc() really allocated a new string, then pos that points into the original str has no relation to the reallocated str, so memmove() is not shuffling the string to make room for the SP in the string that will be given to ReportEvent() at all, no? This seems to be a bug introduced by 2a6b149c (mingw: avoid using strbuf in syslog, 2011-10-06). It makes me wonder if this codepath ever triggers in the first place. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] win32: syslog: prevent potential realloc memory leak 2014-12-15 18:11 ` Junio C Hamano @ 2015-01-25 21:38 ` Erik Faye-Lund 2015-01-26 4:25 ` Junio C Hamano 0 siblings, 1 reply; 4+ messages in thread From: Erik Faye-Lund @ 2015-01-25 21:38 UTC (permalink / raw) To: Junio C Hamano Cc: git mailing list, Erik Faye-Lund, Arjun Sreedharan, Mike Pape Sorry for very late reply. I had a bug in my mail rules that caused this email to skip my inbox. That should be fixed now. On Mon, Dec 15, 2014 at 7:11 PM, Junio C Hamano <gitster@pobox.com> wrote: > Arjun Sreedharan <arjun024@gmail.com> writes: > >> use a temporary variable to free the memory in case >> realloc() fails. >> >> Signed-off-by: Arjun Sreedharan <arjun024@gmail.com> >> --- >> compat/win32/syslog.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/compat/win32/syslog.c b/compat/win32/syslog.c >> index d015e43..3409e43 100644 >> --- a/compat/win32/syslog.c >> +++ b/compat/win32/syslog.c >> @@ -16,7 +16,7 @@ void openlog(const char *ident, int logopt, int facility) >> void syslog(int priority, const char *fmt, ...) >> { >> WORD logtype; >> - char *str, *pos; >> + char *str, *str_temp, *pos; >> int str_len; >> va_list ap; >> >> @@ -43,9 +43,11 @@ void syslog(int priority, const char *fmt, ...) >> va_end(ap); >> >> while ((pos = strstr(str, "%1")) != NULL) { >> + str_temp = str; >> str = realloc(str, ++str_len + 1); >> if (!str) { >> warning("realloc failed: '%s'", strerror(errno)); >> + free(str_temp); >> return; >> } > > Hmm, the original, 088d8802 (mingw: implement syslog, 2010-11-04), > that introduced the special casing for %1, says: > > Syslog does not usually exist on Windows, so implement our own > using Window's ReportEvent mechanism. > > Strings containing "%1" gets expanded into them selves by > ReportEvent, resulting in an unreadable string. "%2" and above > is not a problem. Unfortunately, on Windows an IPv6 address can > contain "%1", so expand "%1" to "% 1" before reporting. "%%1" is > also a problem for ReportEvent, but that string cannot occur in > an IPv6 address. > > It is unclear why it says '"%2" and above is not a problem' to me. > Is that because they expand to something not "an unreadable string", > or is that because in the original developer's testing only "%1" was > observed? %2 would expand to the first argument (this is a varargs-type interface), but such an argument does not exist, so no expansion is being performed. > It also says "%%1" is a problem, and it does not occur in > an IPv6 address, but that would suggest that every time a new caller > is added to syslog(), this imitation of syslog() can break, as there > is nothing that says the new caller must be reporting something > about an IP address. Perhaps this loop should cleanse what it > passes to ReportEvent() a bit more aggressively by expanding all "%" > to "%-sp" or something)? This suspicion is somewhat justified; I only did %1 because that was the only one that had any theoretical way of being hit at the time the patch was written. However, a quick test reveals that we currently expand "%%1" to "%% 1", which is not problematic. And that makes sense from looking at the code also. However, removing the hunk and running the code reveals that Windows no longer does that ugly recursive expansion. I'm sure it did when I wrote the code, because I did test it. So it seems at least Windows 8.1 is less insane about this. > Regardless of that funny %1 business, I notice in > > http://msdn.microsoft.com/en-us/library/windows/desktop/aa363679%28v=vs.85%29.aspx > > that each element of lpStrings array that is passed to ReportEvent() > is limited to 32k or so. Wouldn't it make it a lot simpler if we > removed the dynamic allocation and use a fixed sized 32k buffer here > (and truncate the result as necessary)? That would make the "leak" > disappear automatically. That's a very good point. Yes, I think that makes more sense. > Having said all that, if we were to still go with the current code > structure, "str_temp" should be scoped inside the loop, as there is > no need to make it available to the remainder of the function, I > think. Also writing this way may make the intention more clear. > > while (...) { > char *new_str = realloc(str, ...); > if (!new_str) { > free(str); > return; > } > memmove(... to shuffle ...); > > And after starting to write the above, I notice that the current > code around realloc may be completely bogus. It goes like this: > > while ((pos = strstr(str, "..."))) { > str = realloc(str, ...); > if (!str) { warn and bail; } > memmove(pos + 1, pos + 1, ...); > pos[1] = ' '; > } > > If realloc() really allocated a new string, then pos that points > into the original str has no relation to the reallocated str, so > memmove() is not shuffling the string to make room for the SP in the > string that will be given to ReportEvent() at all, no? This seems > to be a bug introduced by 2a6b149c (mingw: avoid using strbuf in > syslog, 2011-10-06). > > It makes me wonder if this codepath ever triggers in the first > place. IIRC, this hunk was really just written out of fear because IPv6 addresses might contain %1, and I don't think it has ever been proven to be possible to trigger out in the wild. But of course, other call-sites could do the same thing. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] win32: syslog: prevent potential realloc memory leak 2015-01-25 21:38 ` Erik Faye-Lund @ 2015-01-26 4:25 ` Junio C Hamano 0 siblings, 0 replies; 4+ messages in thread From: Junio C Hamano @ 2015-01-26 4:25 UTC (permalink / raw) To: Erik Faye-Lund Cc: git mailing list, Erik Faye-Lund, Arjun Sreedharan, Mike Pape Erik Faye-Lund <kusmabite@gmail.com> writes: > Sorry for very late reply. I had a bug in my mail rules that caused > this email to skip my inbox. That should be fixed now. > > On Mon, Dec 15, 2014 at 7:11 PM, Junio C Hamano <gitster@pobox.com> wrote: > ... >> Regardless of that funny %1 business, I notice in >> >> http://msdn.microsoft.com/en-us/library/windows/desktop/aa363679%28v=vs.85%29.aspx >> >> that each element of lpStrings array that is passed to ReportEvent() >> is limited to 32k or so. Wouldn't it make it a lot simpler if we >> removed the dynamic allocation and use a fixed sized 32k buffer here >> (and truncate the result as necessary)? That would make the "leak" >> disappear automatically. > > That's a very good point. Yes, I think that makes more sense. OK, so I'd expect a simpler non-reallocating code to materialize and will drop Arjun's patch for now. Thanks. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-01-26 4:25 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-12-13 9:41 [PATCH] win32: syslog: prevent potential realloc memory leak Arjun Sreedharan 2014-12-15 18:11 ` Junio C Hamano 2015-01-25 21:38 ` Erik Faye-Lund 2015-01-26 4:25 ` Junio C Hamano
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.