Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible memory leak #3917

Closed
stasos24 opened this issue Feb 14, 2022 · 2 comments · Fixed by #3919
Closed

Possible memory leak #3917

stasos24 opened this issue Feb 14, 2022 · 2 comments · Fixed by #3919
Labels
bug

Comments

@stasos24
Copy link
Contributor

stasos24 commented Feb 14, 2022
edited
Loading

syslog-ng

Version of syslog-ng

3.35.1

Memory leak

modules/afstomp/stomp.c:105
modules/afstomp/stomp.c:111

int
stomp_connect(stomp_connection **connection_ref, char *hostname, int port)
{
  stomp_connection *conn;
  conn = g_new0(stomp_connection, 1);  //Memory is allocated
  conn->socket = socket(AF_INET, SOCK_STREAM, 0);
  if (conn->socket == -1)
    {
      msg_error("Failed to create socket!"); // conn is not freed, memory leak
      return FALSE;
    }
  if (!resolve_hostname_to_sockaddr(&conn->remote_sa, AF_INET, hostname))
    {
      msg_error("Failed to resolve hostname in stomp driver", 
                evt_tag_str("hostname", hostname)); // conn is not freed, memory leak

      return FALSE;
    }
  g_sockaddr_set_port(conn->remote_sa, port);
  if (!g_connect(conn->socket, conn->remote_sa))
    {
      msg_error("Stomp connection failed",
                evt_tag_str("host", hostname));
      _stomp_connection_free(conn);
      return FALSE;
    }
  (*connection_ref) = conn;
  return TRUE;
};
@stasos24 stasos24 added the bug label Feb 14, 2022
@stasos24
Copy link
Contributor Author

Use-after-free

/modules/disq/dqtool.c:446

static void
_relocate_qfile(PersistState *state, const gchar *name)
{
  if (_is_persist_entry_holds_diskq_file(state, name))
    {
      gchar *qfile = persist_state_lookup_string(state, name, NULL, NULL);
      printf("found qfile, key: %s, path: %s\n", name, qfile);
      gchar *base = g_path_get_basename(qfile);
      gchar *relocated_qfile = g_build_filename(new_diskq_path, base, NULL);
      if (!relocated_qfile)
        {
          fprintf(stderr, "Invalid path. new_diskq_dir: %s, qfile: %s\n", new_diskq_path, qfile);
          g_free(qfile); // pointer is released
        }

      if (_move_file(qfile, relocated_qfile)) // use-after-free
        {
          printf("new qfile_path: %s\n", relocated_qfile);
          persist_state_alloc_string(state, name, relocated_qfile, -1);
        }
      else
        {
          fprintf(stderr, "Failed to move file to new qfile_path: %s\n", relocated_qfile);
        }
      g_free(base);
      g_free(qfile);
      g_free(relocated_qfile);
    }
}

@MrAnno
Copy link
Collaborator

MrAnno commented Feb 14, 2022

Hi @stasos24,

Would you like to open a pull request that fixes these findings?

@stasos24 stasos24 mentioned this issue Feb 15, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
2 participants
@MrAnno @stasos24