Actions
Bug #1788
closedaf-packet coverity warning
Affected Versions:
Effort:
Difficulty:
Label:
Description
** CID 1362014: (RESOURCE_LEAK) /src/source-af-packet.c: 1799 in AFPSetupRing() /src/source-af-packet.c: 1803 in AFPSetupRing() ________________________________________________________________________________________________________ *** CID 1362014: (RESOURCE_LEAK) /src/source-af-packet.c: 1799 in AFPSetupRing() 1793 } 1794 ptv->frame_offset = 0; 1795 #ifdef HAVE_TPACKET_V3 1796 } 1797 #endif 1798 >>> CID 1362014: (RESOURCE_LEAK) >>> Variable "ring_buf" going out of scope leaks the storage it points to. 1799 return 0; 1800 1801 mmap_err: 1802 /* Packet mmap does the cleaning when socket is closed */ 1803 return AFP_FATAL_ERROR; 1804 } /src/source-af-packet.c: 1803 in AFPSetupRing() 1797 #endif 1798 1799 return 0; 1800 1801 mmap_err: 1802 /* Packet mmap does the cleaning when socket is closed */ >>> CID 1362014: (RESOURCE_LEAK) >>> Variable "ring_buf" going out of scope leaks the storage it points to. 1803 return AFP_FATAL_ERROR; 1804 } 1805 1806 static int AFPCreateSocket(AFPThreadVars *ptv, char *devname, int verbose) 1807 { 1808 int r;
Updated by Victor Julien over 8 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.1rc1
- % Done changed from 90 to 100
Updated by Victor Julien over 8 years ago
- Status changed from Closed to Assigned
Coverity still thinks we leak memory.
1637static int AFPSetupRing(AFPThreadVars *ptv, char *devname) 1638{ 1639 int val; 1640 unsigned int len = sizeof(val), i; 1641 unsigned int ring_buflen; 1642 uint8_t * ring_buf; 1643 int order; 1644 int r, mmap_flag; 1645 1646#ifdef HAVE_TPACKET_V3 1. Condition ptv->flags & (16 /* 1 << 4 */), taking false branch 1647 if (ptv->flags & AFP_TPACKET_V3) { 1648 val = TPACKET_V3; 1649 } else 1650#endif 1651 { 1652 val = TPACKET_V2; 1653 } 2. Condition getsockopt(ptv->socket, 263, 11, &val, &len) < 0, taking false branch 1654 if (getsockopt(ptv->socket, SOL_PACKET, PACKET_HDRLEN, &val, &len) < 0) { 1655 if (errno == ENOPROTOOPT) { 1656 if (ptv->flags & AFP_TPACKET_V3) { 1657 SCLogError(SC_ERR_AFP_CREATE, 1658 "Too old kernel giving up (need 3.2 for TPACKET_V3)"); 1659 } else { 1660 SCLogError(SC_ERR_AFP_CREATE, 1661 "Too old kernel giving up (need 2.6.27 at least)"); 1662 } 1663 } 1664 SCLogError(SC_ERR_AFP_CREATE, "Error when retrieving packet header len"); 1665 return AFP_FATAL_ERROR; 1666 } 1667 1668 val = TPACKET_V2; 1669#ifdef HAVE_TPACKET_V3 3. Condition ptv->flags & (16 /* 1 << 4 */), taking false branch 1670 if (ptv->flags & AFP_TPACKET_V3) { 1671 val = TPACKET_V3; 1672 } 1673#endif 4. Condition setsockopt(ptv->socket, 263, 10, &val, 4U /* sizeof (val) */) < 0, taking false branch 1674 if (setsockopt(ptv->socket, SOL_PACKET, PACKET_VERSION, &val, 1675 sizeof(val)) < 0) { 1676 SCLogError(SC_ERR_AFP_CREATE, 1677 "Can't activate TPACKET_V2/TPACKET_V3 on packet socket: %s", 1678 strerror(errno)); 1679 return AFP_FATAL_ERROR; 1680 } 1681 1682#ifdef HAVE_HW_TIMESTAMPING 1683 int req = SOF_TIMESTAMPING_RAW_HARDWARE; 5. Condition setsockopt(ptv->socket, 263, 17, (void *)&req, 4U /* sizeof (req) */) < 0, taking false branch 1684 if (setsockopt(ptv->socket, SOL_PACKET, PACKET_TIMESTAMP, (void *) &req, 1685 sizeof(req)) < 0) { 1686 SCLogWarning(SC_ERR_AFP_CREATE, 1687 "Can't activate hardware timestamping on packet socket: %s", 1688 strerror(errno)); 1689 } 1690#endif 1691 1692 /* Allocate RX ring */ 1693#ifdef HAVE_TPACKET_V3 6. Condition ptv->flags & (16 /* 1 << 4 */), taking false branch 1694 if (ptv->flags & AFP_TPACKET_V3) { 1695 if (AFPComputeRingParamsV3(ptv) != 1) { 1696 return AFP_FATAL_ERROR; 1697 } 1698 r = setsockopt(ptv->socket, SOL_PACKET, PACKET_RX_RING, 1699 (void *) &ptv->req3, sizeof(ptv->req3)); 1700 if (r < 0) { 1701 SCLogError(SC_ERR_MEM_ALLOC, 1702 "Unable to allocate RX Ring for iface %s: (%d) %s", 1703 devname, 1704 errno, 1705 strerror(errno)); 1706 return AFP_FATAL_ERROR; 1707 } 1708 } else { 1709#endif 7. Condition order >= 0, taking true branch 1710 for (order = AFP_BLOCK_SIZE_DEFAULT_ORDER; order >= 0; order--) { 8. Condition AFPComputeRingParams(ptv, order) != 1, taking false branch 1711 if (AFPComputeRingParams(ptv, order) != 1) { 1712 SCLogInfo("Ring parameter are incorrect. Please correct the devel"); 1713 return AFP_FATAL_ERROR; 1714 } 1715 1716 r = setsockopt(ptv->socket, SOL_PACKET, PACKET_RX_RING, 1717 (void *) &ptv->req, sizeof(ptv->req)); 1718 9. Condition r < 0, taking false branch 1719 if (r < 0) { 1720 if (errno == ENOMEM) { 1721 SCLogInfo("Memory issue with ring parameters. Retrying."); 1722 continue; 1723 } 1724 SCLogError(SC_ERR_MEM_ALLOC, 1725 "Unable to allocate RX Ring for iface %s: (%d) %s", 1726 devname, 1727 errno, 1728 strerror(errno)); 1729 return AFP_FATAL_ERROR; 1730 } else { 10. Breaking from loop 1731 break; 1732 } 1733 } 11. Condition order < 0, taking false branch 1734 if (order < 0) { 1735 SCLogError(SC_ERR_MEM_ALLOC, 1736 "Unable to allocate RX Ring for iface %s (order 0 failed)", 1737 devname); 1738 return AFP_FATAL_ERROR; 1739 } 1740#ifdef HAVE_TPACKET_V3 1741 } 1742#endif 1743 1744 /* Allocate the Ring */ 1745#ifdef HAVE_TPACKET_V3 12. Condition ptv->flags & (16 /* 1 << 4 */), taking false branch 1746 if (ptv->flags & AFP_TPACKET_V3) { 1747 ring_buflen = ptv->req3.tp_block_nr * ptv->req3.tp_block_size; 1748 } else { 1749#endif 1750 ring_buflen = ptv->req.tp_block_nr * ptv->req.tp_block_size; 1751#ifdef HAVE_TPACKET_V3 1752 } 1753#endif 1754 mmap_flag = MAP_SHARED; 13. Condition ptv->flags & (64 /* 1 << 6 */), taking false branch 1755 if (ptv->flags & AFP_MMAP_LOCKED) 1756 mmap_flag |= MAP_LOCKED; 14. alloc_fn: Storage is returned from allocation function mmap. 15. var_assign: Assigning: ring_buf = storage returned from mmap(NULL, ring_buflen, 3, mmap_flag, ptv->socket, 0L). 1757 ring_buf = mmap(0, ring_buflen, PROT_READ|PROT_WRITE, 1758 mmap_flag, ptv->socket, 0); 16. Condition ring_buf == (void *)0xffffffffffffffff, taking false branch 1759 if (ring_buf == MAP_FAILED) { 1760 SCLogError(SC_ERR_MEM_ALLOC, "Unable to mmap, error %s", 1761 strerror(errno)); 1762 goto mmap_err; 1763 } 1764#ifdef HAVE_TPACKET_V3 17. Condition ptv->flags & (16 /* 1 << 4 */), taking false branch 1765 if (ptv->flags & AFP_TPACKET_V3) { 1766 ptv->ring_v3 = SCMalloc(ptv->req3.tp_block_nr * sizeof(*ptv->ring_v3)); 1767 if (!ptv->ring_v3) { 1768 SCLogError(SC_ERR_MEM_ALLOC, "Unable to malloc ptv ring_v3"); 1769 goto postmmap_err; 1770 } 1771 for (i = 0; i < ptv->req3.tp_block_nr; ++i) { 1772 ptv->ring_v3[i].iov_base = ring_buf + (i * ptv->req3.tp_block_size); 1773 ptv->ring_v3[i].iov_len = ptv->req3.tp_block_size; 1774 } 1775 } else { 1776#endif 1777 /* allocate a ring for each frame header pointer*/ 18. Condition ptrmem == NULL, taking false branch 1778 ptv->ring_v2 = SCMalloc(ptv->req.tp_frame_nr * sizeof (union thdr *)); 19. Condition (*ptv).ring_v2 == NULL, taking false branch 1779 if (ptv->ring_v2 == NULL) { 1780 SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate frame buf"); 1781 goto postmmap_err; 1782 } 1783 memset(ptv->ring_v2, 0, ptv->req.tp_frame_nr * sizeof (union thdr *)); 1784 /* fill the header ring with proper frame ptr*/ 1785 ptv->frame_offset = 0; 20. Condition i < (*ptv).req.tp_block_nr, taking true branch 25. Condition i < (*ptv).req.tp_block_nr, taking false branch 1786 for (i = 0; i < ptv->req.tp_block_nr; ++i) { 21. var_assign: Assigning: base = ring_buf. 1787 void *base = &ring_buf[i * ptv->req.tp_block_size]; 1788 unsigned int j; 22. Condition j < (*ptv).req.tp_block_size / (*ptv).req.tp_frame_size, taking false branch 1789 for (j = 0; j < ptv->req.tp_block_size / ptv->req.tp_frame_size; ++j, ++ptv->frame_offset) { 1790 (((union thdr **)ptv->ring_v2)[ptv->frame_offset]) = base; 1791 base += ptv->req.tp_frame_size; 1792 } 23. leaked_storage: Variable base going out of scope leaks the storage it points to. 24. Jumping back to the beginning of the loop 1793 } 1794 ptv->frame_offset = 0; 1795#ifdef HAVE_TPACKET_V3 1796 } 1797#endif 1798 CID 1362014 (#1 of 1): Resource leak (RESOURCE_LEAK)26. leaked_storage: Variable ring_buf going out of scope leaks the storage it points to. 1799 return 0; 1800 1801postmmap_err: 1802 munmap(ring_buf, ring_buflen); 1803 if (ptv->ring_v2) 1804 SCFree(ptv->ring_v2); 1805 if (ptv->ring_v3) 1806 SCFree(ptv->ring_v3); 1807mmap_err: 1808 /* Packet mmap does the cleaning when socket is closed */ 1809 return AFP_FATAL_ERROR; 1810}
Updated by Victor Julien over 8 years ago
- Target version changed from 3.1rc1 to 70
Updated by Victor Julien almost 8 years ago
Possibly related:
Indirect leak of 560000 byte(s) in 8 object(s) allocated from: #0 0x7f6d14c3f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7e719c in ReceiveAFPThreadInit /home/victor/dev/suricata/src/source-af-packet.c:2131 #2 0x870e64 in TmThreadsSlotPktAcqLoop /home/victor/dev/suricata/src/tm-threads.c:294 #3 0x7f6d132796b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) Indirect leak of 16640 byte(s) in 8 object(s) allocated from: #0 0x7f6d14c3f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7e291c in AFPSetupRing /home/victor/dev/suricata/src/source-af-packet.c:1775 #2 0x7e509a in AFPCreateSocket /home/victor/dev/suricata/src/source-af-packet.c:1954 #3 0x7dd458 in ReceiveAFPLoop /home/victor/dev/suricata/src/source-af-packet.c:1333 #4 0x8712fe in TmThreadsSlotPktAcqLoop /home/victor/dev/suricata/src/tm-threads.c:334 #5 0x7f6d132796b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
Updated by Victor Julien over 6 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 4.1beta1
This issue has been fixed.
Actions