On Mon, Apr 14, 2025 at 15:06:09 +0300, Alexander Kuznetsov wrote:
> path is allocated by asprintf() and must be freed later if realloc() fails or at
> the end of each while() iteration
>
> Move the free() call out of LIBVIRT_NSS_GUEST macro and add another one if
> realloc() fails
>
> Found by Linux Verification Center (linuxtesting.org) with Svace.
>
> Reported-by: Dmitry Fedin <d.fedin@xxxxxxxxxxx>
> Signed-off-by: Alexander Kuznetsov <kuznetsovam@xxxxxxxxxxxx>
> ---
> tools/nss/libvirt_nss.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/tools/nss/libvirt_nss.c b/tools/nss/libvirt_nss.c
> index d79a00a1b0..190cc7a3dd 100644
> --- a/tools/nss/libvirt_nss.c
> +++ b/tools/nss/libvirt_nss.c
> @@ -141,8 +141,11 @@ findLease(const char *name,
> goto cleanup;
>
> tmpLease = realloc(leaseFiles, sizeof(char *) * (nleaseFiles + 1));
> - if (!tmpLease)
> + if (!tmpLease) {
> + free(path);
> goto cleanup;
> + }
> +
> leaseFiles = tmpLease;
> leaseFiles[nleaseFiles++] = path;
The path is added to the array ...
> #if defined(LIBVIRT_NSS_GUEST)
> @@ -155,8 +158,8 @@ findLease(const char *name,
> free(path);
> goto cleanup;
> }
> - free(path);
> #endif /* LIBVIRT_NSS_GUEST */
So if you move this after the definition check, and the definition is not defined ...
> + free(path);
... this free will become part of the upper block and free the path
filled into the array.
> }
>
> errno = 0;
> --
> 2.42.4
>
