From owner-freebsd-bugs@FreeBSD.ORG  Tue Mar 23 12:20:01 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D9AAE1065672
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 23 Mar 2010 12:20:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 9D06F8FC17
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 23 Mar 2010 12:20:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2NCK1Oh061540
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 23 Mar 2010 12:20:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2NCK1Im061539;
	Tue, 23 Mar 2010 12:20:01 GMT (envelope-from gnats)
Resent-Date: Tue, 23 Mar 2010 12:20:01 GMT
Resent-Message-Id: <201003231220.o2NCK1Im061539@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	"Earl R. Lapus" <earl.lapus@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 83DB3106566B
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 23 Mar 2010 12:11:37 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 596268FC18
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 23 Mar 2010 12:11:37 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o2NCBb25005982
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 23 Mar 2010 12:11:37 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o2NCBbxa005981;
	Tue, 23 Mar 2010 12:11:37 GMT (envelope-from nobody)
Message-Id: <201003231211.o2NCBbxa005981@www.freebsd.org>
Date: Tue, 23 Mar 2010 12:11:37 GMT
From: "Earl R. Lapus" <earl.lapus@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: misc/144974: [ping6] malloc()s not free()'d
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 12:20:02 -0000


>Number:         144974
>Category:       misc
>Synopsis:       [ping6] malloc()s not free()'d
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 23 12:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Earl R. Lapus
>Release:        FreeBSD 8.0
>Organization:
>Environment:
FreeBSD syutsyut.cebu.infoweapons.com 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Tue Dec 15 12:44:45 PHT 2009    root@syutsyut.cebu.infoweapons.com:/usr/obj/usr/src/
sys/SYUTSYUT  i386

>Description:
Some portions of the code allocates memory via malloc() but aren't free()'d when the ping6 exits. The attached patch attempts to fix the problem but may not be correct -- needs review.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff -ruN ../src/sbin/ping6/ping6.c ../src.mod/sbin/ping6/ping6.c
--- ../src/sbin/ping6/ping6.c	2009-10-25 09:10:29.000000000 +0800
+++ ../src.mod/sbin/ping6/ping6.c	2010-03-23 18:32:58.000000000 +0800
@@ -224,6 +224,13 @@
 u_int8_t nonce[8];		/* nonce field for node information */
 int hoplimit = -1;		/* hoplimit */
 int pathmtu = 0;		/* path MTU for the destination.  0 = unspec. */
+u_char *packet = NULL;
+#ifdef HAVE_POLL_H
+struct pollfd fdmaskp[1];
+#else
+fd_set *fdmaskp = NULL;
+int fdmasks;
+#endif
 
 /* counters */
 long nmissedmax;		/* max value of ntransmitted - nreceived - 1 */
@@ -301,19 +308,13 @@
 	struct timeval timeout, *tv;
 #endif
 	struct addrinfo hints;
-#ifdef HAVE_POLL_H
-	struct pollfd fdmaskp[1];
-#else
-	fd_set *fdmaskp;
-	int fdmasks;
-#endif
 	int cc, i;
 	int ch, hold, packlen, preload, optval, ret_ga;
-	u_char *datap, *packet;
+	u_char *datap;
 	char *e, *target, *ifname = NULL, *gateway = NULL;
 	int ip6optlen = 0;
 	struct cmsghdr *scmsgp = NULL;
-	struct cmsghdr *cm;
+	struct cmsghdr cm[CONTROLLEN];
 #if defined(SO_SNDBUF) && defined(SO_RCVBUF)
 	u_long lsockbufsize;
 	int sockbufsize = 0;
@@ -1073,11 +1074,6 @@
 	seeninfo = 0;
 #endif
 
-	/* For control (ancillary) data received from recvmsg() */
-	cm = (struct cmsghdr *)malloc(CONTROLLEN);
-	if (cm == NULL)
-		err(1, "malloc");
-
 	for (;;) {
 		struct msghdr m;
 		struct iovec iov[2];
@@ -1149,8 +1145,8 @@
 		iov[0].iov_len = packlen;
 		m.msg_iov = iov;
 		m.msg_iovlen = 1;
-		memset(cm, 0, CONTROLLEN);
-		m.msg_control = (void *)cm;
+		memset(&cm, 0, CONTROLLEN);
+		m.msg_control = (void *)&cm;
 		m.msg_controllen = CONTROLLEN;
 
 		cc = recvmsg(s, &m, 0);
@@ -1191,6 +1187,15 @@
 		}
 	}
 	summary();
+
+        if(packet != NULL)
+                free(packet);
+
+#ifndef HAVE_POLL_H
+        if(fdmaskp != NULL)
+                free(fdmaskp);
+#endif
+
 	exit(nreceived == 0 ? 2 : 0);
 }
 
@@ -2247,6 +2252,14 @@
 {
 	summary();
 
+        if(packet != NULL)
+                free(packet);
+
+#ifndef HAVE_POLL_H
+        if(fdmaskp != NULL)
+                free(fdmaskp);
+#endif
+
 	(void)signal(SIGINT, SIG_DFL);
 	(void)kill(getpid(), SIGINT);
 


>Release-Note:
>Audit-Trail:
>Unformatted: