From nobody@FreeBSD.org  Tue Mar 23 12:11:37 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 83DB3106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 23 Mar 2010 12:11:37 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 596268FC18
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 23 Mar 2010 12:11:37 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o2NCBb25005982
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 23 Mar 2010 12:11:37 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o2NCBbxa005981;
	Tue, 23 Mar 2010 12:11:37 GMT
	(envelope-from nobody)
Message-Id: <201003231211.o2NCBbxa005981@www.freebsd.org>
Date: Tue, 23 Mar 2010 12:11:37 GMT
From: "Earl R. Lapus" <earl.lapus@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [ping6] malloc()s not free()'d
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         144974
>Category:       bin
>Synopsis:       [patch] ping6(1): malloc()s not free()'d
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    brucec
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 23 12:20:01 UTC 2010
>Closed-Date:    Fri Jul 16 09:36:53 UTC 2010
>Last-Modified:  Fri Jul 16 09:36:53 UTC 2010
>Originator:     Earl R. Lapus
>Release:        FreeBSD 8.0
>Organization:
>Environment:
FreeBSD syutsyut.cebu.infoweapons.com 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Tue Dec 15 12:44:45 PHT 2009    root@syutsyut.cebu.infoweapons.com:/usr/obj/usr/src/
sys/SYUTSYUT  i386

>Description:
Some portions of the code allocates memory via malloc() but aren't free()'d when the ping6 exits. The attached patch attempts to fix the problem but may not be correct -- needs review.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff -ruN ../src/sbin/ping6/ping6.c ../src.mod/sbin/ping6/ping6.c
--- ../src/sbin/ping6/ping6.c	2009-10-25 09:10:29.000000000 +0800
+++ ../src.mod/sbin/ping6/ping6.c	2010-03-23 18:32:58.000000000 +0800
@@ -224,6 +224,13 @@
 u_int8_t nonce[8];		/* nonce field for node information */
 int hoplimit = -1;		/* hoplimit */
 int pathmtu = 0;		/* path MTU for the destination.  0 = unspec. */
+u_char *packet = NULL;
+#ifdef HAVE_POLL_H
+struct pollfd fdmaskp[1];
+#else
+fd_set *fdmaskp = NULL;
+int fdmasks;
+#endif
 
 /* counters */
 long nmissedmax;		/* max value of ntransmitted - nreceived - 1 */
@@ -301,19 +308,13 @@
 	struct timeval timeout, *tv;
 #endif
 	struct addrinfo hints;
-#ifdef HAVE_POLL_H
-	struct pollfd fdmaskp[1];
-#else
-	fd_set *fdmaskp;
-	int fdmasks;
-#endif
 	int cc, i;
 	int ch, hold, packlen, preload, optval, ret_ga;
-	u_char *datap, *packet;
+	u_char *datap;
 	char *e, *target, *ifname = NULL, *gateway = NULL;
 	int ip6optlen = 0;
 	struct cmsghdr *scmsgp = NULL;
-	struct cmsghdr *cm;
+	struct cmsghdr cm[CONTROLLEN];
 #if defined(SO_SNDBUF) && defined(SO_RCVBUF)
 	u_long lsockbufsize;
 	int sockbufsize = 0;
@@ -1073,11 +1074,6 @@
 	seeninfo = 0;
 #endif
 
-	/* For control (ancillary) data received from recvmsg() */
-	cm = (struct cmsghdr *)malloc(CONTROLLEN);
-	if (cm == NULL)
-		err(1, "malloc");
-
 	for (;;) {
 		struct msghdr m;
 		struct iovec iov[2];
@@ -1149,8 +1145,8 @@
 		iov[0].iov_len = packlen;
 		m.msg_iov = iov;
 		m.msg_iovlen = 1;
-		memset(cm, 0, CONTROLLEN);
-		m.msg_control = (void *)cm;
+		memset(&cm, 0, CONTROLLEN);
+		m.msg_control = (void *)&cm;
 		m.msg_controllen = CONTROLLEN;
 
 		cc = recvmsg(s, &m, 0);
@@ -1191,6 +1187,15 @@
 		}
 	}
 	summary();
+
+        if(packet != NULL)
+                free(packet);
+
+#ifndef HAVE_POLL_H
+        if(fdmaskp != NULL)
+                free(fdmaskp);
+#endif
+
 	exit(nreceived == 0 ? 2 : 0);
 }
 
@@ -2247,6 +2252,14 @@
 {
 	summary();
 
+        if(packet != NULL)
+                free(packet);
+
+#ifndef HAVE_POLL_H
+        if(fdmaskp != NULL)
+                free(fdmaskp);
+#endif
+
 	(void)signal(SIGINT, SIG_DFL);
 	(void)kill(getpid(), SIGINT);
 


>Release-Note:
>Audit-Trail:

From: Bruce Cran <bruce@cran.org.uk>
To: bug-followup@FreeBSD.org, earl.lapus@gmail.com
Cc:  
Subject: Re: bin/144974: [patch] ping6(1): malloc()s not free()'d
Date: Fri, 28 May 2010 11:40:40 +0100

 Of course it's good style to free memory which has been allocated, but 
 I'm not sure if we should be doing it here since it appears to 
 complicate the code, and there's no memory leak while ping6 is running 
 (i.e. when it's doing work).
 
 -- 
 Bruce Cran

From: Earl Lapus <earl.lapus@gmail.com>
To: Bruce Cran <bruce@cran.org.uk>
Cc: bug-followup@freebsd.org
Subject: Re: bin/144974: [patch] ping6(1): malloc()s not free()'d
Date: Fri, 28 May 2010 19:18:28 +0800

 I understand. Thanks for taking the time to look into this issue.
 
 -- 
 There are seven words in this sentence.
Responsible-Changed-From-To: freebsd-bugs->brucec 
Responsible-Changed-By: brucec 
Responsible-Changed-When: Fri May 28 12:34:24 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144974 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/144974: commit references a PR
Date: Wed, 16 Jun 2010 15:49:31 +0000 (UTC)

 Author: brucec
 Date: Wed Jun 16 15:49:17 2010
 New Revision: 209236
 URL: http://svn.freebsd.org/changeset/base/209236
 
 Log:
   Call free and freeaddrinfo before exiting.
   
   PR: bin/144730
   PR: bin/144974
   Submitted by: Earl R. Lapus <earl.lapus at gmail.com>
   Approved by: rrs (mentor)
   MFC after: 1 month
 
 Modified:
   head/sbin/ping6/ping6.c
 
 Modified: head/sbin/ping6/ping6.c
 ==============================================================================
 --- head/sbin/ping6/ping6.c	Wed Jun 16 15:40:13 2010	(r209235)
 +++ head/sbin/ping6/ping6.c	Wed Jun 16 15:49:17 2010	(r209236)
 @@ -210,7 +210,7 @@ u_int options;
  int mx_dup_ck = MAX_DUP_CHK;
  char rcvd_tbl[MAX_DUP_CHK / 8];
  
 -struct addrinfo *res;
 +struct addrinfo *res = NULL;
  struct sockaddr_in6 dst;	/* who to ping6 */
  struct sockaddr_in6 src;	/* src addr of this packet */
  socklen_t srclen;
 @@ -225,6 +225,13 @@ int ident;			/* process id to identify o
  u_int8_t nonce[8];		/* nonce field for node information */
  int hoplimit = -1;		/* hoplimit */
  int pathmtu = 0;		/* path MTU for the destination.  0 = unspec. */
 +u_char *packet = NULL;
 +#ifdef HAVE_POLL_H
 +struct pollfd fdmaskp[1];
 +#else
 +fd_set *fdmaskp = NULL;
 +int fdmasks;
 +#endif
  
  /* counters */
  long nmissedmax;		/* max value of ntransmitted - nreceived - 1 */
 @@ -302,19 +309,14 @@ main(argc, argv)
  	struct timeval timeout, *tv;
  #endif
  	struct addrinfo hints;
 -#ifdef HAVE_POLL_H
 -	struct pollfd fdmaskp[1];
 -#else
 -	fd_set *fdmaskp;
 -	int fdmasks;
 -#endif
  	int cc, i;
  	int ch, hold, packlen, preload, optval, ret_ga;
 -	u_char *datap, *packet;
 +	u_char *datap;
  	char *e, *target, *ifname = NULL, *gateway = NULL;
  	int ip6optlen = 0;
  	struct cmsghdr *scmsgp = NULL;
 -	struct cmsghdr *cm;
 +	/* For control (ancillary) data received from recvmsg() */
 +	struct cmsghdr cm[CONTROLLEN];
  #if defined(SO_SNDBUF) && defined(SO_RCVBUF)
  	u_long lsockbufsize;
  	int sockbufsize = 0;
 @@ -529,6 +531,7 @@ main(argc, argv)
  			memcpy(&src, res->ai_addr, res->ai_addrlen);
  			srclen = res->ai_addrlen;
  			freeaddrinfo(res);
 +			res = NULL;
  			options |= F_SRCADDR;
  			break;
  		case 's':		/* size of packet to send */
 @@ -1081,11 +1084,6 @@ main(argc, argv)
  	seeninfo = 0;
  #endif
  
 -	/* For control (ancillary) data received from recvmsg() */
 -	cm = (struct cmsghdr *)malloc(CONTROLLEN);
 -	if (cm == NULL)
 -		err(1, "malloc");
 -
  	for (;;) {
  		struct msghdr m;
  		struct iovec iov[2];
 @@ -1199,6 +1197,18 @@ main(argc, argv)
  		}
  	}
  	summary();
 +
 +	if (res != NULL)
 +		freeaddrinfo(res);
 +
 +        if(packet != NULL)
 +                free(packet);
 +
 +#ifndef HAVE_POLL_H
 +        if(fdmaskp != NULL)
 +                free(fdmaskp);
 +#endif
 +
  	exit(nreceived == 0 ? 2 : 0);
  }
  
 @@ -2255,6 +2265,17 @@ onint(notused)
  {
  	summary();
  
 +	if (res != NULL)
 +		freeaddrinfo(res);
 +
 +        if(packet != NULL)
 +                free(packet);
 +
 +#ifndef HAVE_POLL_H
 +        if(fdmaskp != NULL)
 +                free(fdmaskp);
 +#endif
 +
  	(void)signal(SIGINT, SIG_DFL);
  	(void)kill(getpid(), SIGINT);
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched  
State-Changed-By: brucec 
State-Changed-When: Wed Jun 16 15:53:23 UTC 2010 
State-Changed-Why:  
Fixed in HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144974 
State-Changed-From-To: patched->closed  
State-Changed-By: brucec 
State-Changed-When: Fri Jul 16 09:36:36 UTC 2010 
State-Changed-Why:  
Not to be MFC'd. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144974 
>Unformatted:
