Actions
Bug #1788
closedaf-packet coverity warning
Added by Victor Julien over 9 years ago. Updated over 7 years ago.
Affected Versions:
Effort:
Difficulty:
Label:
Description
** CID 1362014: (RESOURCE_LEAK)
/src/source-af-packet.c: 1799 in AFPSetupRing()
/src/source-af-packet.c: 1803 in AFPSetupRing()
________________________________________________________________________________________________________
*** CID 1362014: (RESOURCE_LEAK)
/src/source-af-packet.c: 1799 in AFPSetupRing()
1793 }
1794 ptv->frame_offset = 0;
1795 #ifdef HAVE_TPACKET_V3
1796 }
1797 #endif
1798
>>> CID 1362014: (RESOURCE_LEAK)
>>> Variable "ring_buf" going out of scope leaks the storage it points to.
1799 return 0;
1800
1801 mmap_err:
1802 /* Packet mmap does the cleaning when socket is closed */
1803 return AFP_FATAL_ERROR;
1804 }
/src/source-af-packet.c: 1803 in AFPSetupRing()
1797 #endif
1798
1799 return 0;
1800
1801 mmap_err:
1802 /* Packet mmap does the cleaning when socket is closed */
>>> CID 1362014: (RESOURCE_LEAK)
>>> Variable "ring_buf" going out of scope leaks the storage it points to.
1803 return AFP_FATAL_ERROR;
1804 }
1805
1806 static int AFPCreateSocket(AFPThreadVars *ptv, char *devname, int verbose)
1807 {
1808 int r;
Updated by Victor Julien over 9 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.1rc1
- % Done changed from 90 to 100
Updated by Victor Julien over 9 years ago
- Status changed from Closed to Assigned
Coverity still thinks we leak memory.
1637static int AFPSetupRing(AFPThreadVars *ptv, char *devname)
1638{
1639 int val;
1640 unsigned int len = sizeof(val), i;
1641 unsigned int ring_buflen;
1642 uint8_t * ring_buf;
1643 int order;
1644 int r, mmap_flag;
1645
1646#ifdef HAVE_TPACKET_V3
1. Condition ptv->flags & (16 /* 1 << 4 */), taking false branch
1647 if (ptv->flags & AFP_TPACKET_V3) {
1648 val = TPACKET_V3;
1649 } else
1650#endif
1651 {
1652 val = TPACKET_V2;
1653 }
2. Condition getsockopt(ptv->socket, 263, 11, &val, &len) < 0, taking false branch
1654 if (getsockopt(ptv->socket, SOL_PACKET, PACKET_HDRLEN, &val, &len) < 0) {
1655 if (errno == ENOPROTOOPT) {
1656 if (ptv->flags & AFP_TPACKET_V3) {
1657 SCLogError(SC_ERR_AFP_CREATE,
1658 "Too old kernel giving up (need 3.2 for TPACKET_V3)");
1659 } else {
1660 SCLogError(SC_ERR_AFP_CREATE,
1661 "Too old kernel giving up (need 2.6.27 at least)");
1662 }
1663 }
1664 SCLogError(SC_ERR_AFP_CREATE, "Error when retrieving packet header len");
1665 return AFP_FATAL_ERROR;
1666 }
1667
1668 val = TPACKET_V2;
1669#ifdef HAVE_TPACKET_V3
3. Condition ptv->flags & (16 /* 1 << 4 */), taking false branch
1670 if (ptv->flags & AFP_TPACKET_V3) {
1671 val = TPACKET_V3;
1672 }
1673#endif
4. Condition setsockopt(ptv->socket, 263, 10, &val, 4U /* sizeof (val) */) < 0, taking false branch
1674 if (setsockopt(ptv->socket, SOL_PACKET, PACKET_VERSION, &val,
1675 sizeof(val)) < 0) {
1676 SCLogError(SC_ERR_AFP_CREATE,
1677 "Can't activate TPACKET_V2/TPACKET_V3 on packet socket: %s",
1678 strerror(errno));
1679 return AFP_FATAL_ERROR;
1680 }
1681
1682#ifdef HAVE_HW_TIMESTAMPING
1683 int req = SOF_TIMESTAMPING_RAW_HARDWARE;
5. Condition setsockopt(ptv->socket, 263, 17, (void *)&req, 4U /* sizeof (req) */) < 0, taking false branch
1684 if (setsockopt(ptv->socket, SOL_PACKET, PACKET_TIMESTAMP, (void *) &req,
1685 sizeof(req)) < 0) {
1686 SCLogWarning(SC_ERR_AFP_CREATE,
1687 "Can't activate hardware timestamping on packet socket: %s",
1688 strerror(errno));
1689 }
1690#endif
1691
1692 /* Allocate RX ring */
1693#ifdef HAVE_TPACKET_V3
6. Condition ptv->flags & (16 /* 1 << 4 */), taking false branch
1694 if (ptv->flags & AFP_TPACKET_V3) {
1695 if (AFPComputeRingParamsV3(ptv) != 1) {
1696 return AFP_FATAL_ERROR;
1697 }
1698 r = setsockopt(ptv->socket, SOL_PACKET, PACKET_RX_RING,
1699 (void *) &ptv->req3, sizeof(ptv->req3));
1700 if (r < 0) {
1701 SCLogError(SC_ERR_MEM_ALLOC,
1702 "Unable to allocate RX Ring for iface %s: (%d) %s",
1703 devname,
1704 errno,
1705 strerror(errno));
1706 return AFP_FATAL_ERROR;
1707 }
1708 } else {
1709#endif
7. Condition order >= 0, taking true branch
1710 for (order = AFP_BLOCK_SIZE_DEFAULT_ORDER; order >= 0; order--) {
8. Condition AFPComputeRingParams(ptv, order) != 1, taking false branch
1711 if (AFPComputeRingParams(ptv, order) != 1) {
1712 SCLogInfo("Ring parameter are incorrect. Please correct the devel");
1713 return AFP_FATAL_ERROR;
1714 }
1715
1716 r = setsockopt(ptv->socket, SOL_PACKET, PACKET_RX_RING,
1717 (void *) &ptv->req, sizeof(ptv->req));
1718
9. Condition r < 0, taking false branch
1719 if (r < 0) {
1720 if (errno == ENOMEM) {
1721 SCLogInfo("Memory issue with ring parameters. Retrying.");
1722 continue;
1723 }
1724 SCLogError(SC_ERR_MEM_ALLOC,
1725 "Unable to allocate RX Ring for iface %s: (%d) %s",
1726 devname,
1727 errno,
1728 strerror(errno));
1729 return AFP_FATAL_ERROR;
1730 } else {
10. Breaking from loop
1731 break;
1732 }
1733 }
11. Condition order < 0, taking false branch
1734 if (order < 0) {
1735 SCLogError(SC_ERR_MEM_ALLOC,
1736 "Unable to allocate RX Ring for iface %s (order 0 failed)",
1737 devname);
1738 return AFP_FATAL_ERROR;
1739 }
1740#ifdef HAVE_TPACKET_V3
1741 }
1742#endif
1743
1744 /* Allocate the Ring */
1745#ifdef HAVE_TPACKET_V3
12. Condition ptv->flags & (16 /* 1 << 4 */), taking false branch
1746 if (ptv->flags & AFP_TPACKET_V3) {
1747 ring_buflen = ptv->req3.tp_block_nr * ptv->req3.tp_block_size;
1748 } else {
1749#endif
1750 ring_buflen = ptv->req.tp_block_nr * ptv->req.tp_block_size;
1751#ifdef HAVE_TPACKET_V3
1752 }
1753#endif
1754 mmap_flag = MAP_SHARED;
13. Condition ptv->flags & (64 /* 1 << 6 */), taking false branch
1755 if (ptv->flags & AFP_MMAP_LOCKED)
1756 mmap_flag |= MAP_LOCKED;
14. alloc_fn: Storage is returned from allocation function mmap.
15. var_assign: Assigning: ring_buf = storage returned from mmap(NULL, ring_buflen, 3, mmap_flag, ptv->socket, 0L).
1757 ring_buf = mmap(0, ring_buflen, PROT_READ|PROT_WRITE,
1758 mmap_flag, ptv->socket, 0);
16. Condition ring_buf == (void *)0xffffffffffffffff, taking false branch
1759 if (ring_buf == MAP_FAILED) {
1760 SCLogError(SC_ERR_MEM_ALLOC, "Unable to mmap, error %s",
1761 strerror(errno));
1762 goto mmap_err;
1763 }
1764#ifdef HAVE_TPACKET_V3
17. Condition ptv->flags & (16 /* 1 << 4 */), taking false branch
1765 if (ptv->flags & AFP_TPACKET_V3) {
1766 ptv->ring_v3 = SCMalloc(ptv->req3.tp_block_nr * sizeof(*ptv->ring_v3));
1767 if (!ptv->ring_v3) {
1768 SCLogError(SC_ERR_MEM_ALLOC, "Unable to malloc ptv ring_v3");
1769 goto postmmap_err;
1770 }
1771 for (i = 0; i < ptv->req3.tp_block_nr; ++i) {
1772 ptv->ring_v3[i].iov_base = ring_buf + (i * ptv->req3.tp_block_size);
1773 ptv->ring_v3[i].iov_len = ptv->req3.tp_block_size;
1774 }
1775 } else {
1776#endif
1777 /* allocate a ring for each frame header pointer*/
18. Condition ptrmem == NULL, taking false branch
1778 ptv->ring_v2 = SCMalloc(ptv->req.tp_frame_nr * sizeof (union thdr *));
19. Condition (*ptv).ring_v2 == NULL, taking false branch
1779 if (ptv->ring_v2 == NULL) {
1780 SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate frame buf");
1781 goto postmmap_err;
1782 }
1783 memset(ptv->ring_v2, 0, ptv->req.tp_frame_nr * sizeof (union thdr *));
1784 /* fill the header ring with proper frame ptr*/
1785 ptv->frame_offset = 0;
20. Condition i < (*ptv).req.tp_block_nr, taking true branch
25. Condition i < (*ptv).req.tp_block_nr, taking false branch
1786 for (i = 0; i < ptv->req.tp_block_nr; ++i) {
21. var_assign: Assigning: base = ring_buf.
1787 void *base = &ring_buf[i * ptv->req.tp_block_size];
1788 unsigned int j;
22. Condition j < (*ptv).req.tp_block_size / (*ptv).req.tp_frame_size, taking false branch
1789 for (j = 0; j < ptv->req.tp_block_size / ptv->req.tp_frame_size; ++j, ++ptv->frame_offset) {
1790 (((union thdr **)ptv->ring_v2)[ptv->frame_offset]) = base;
1791 base += ptv->req.tp_frame_size;
1792 }
23. leaked_storage: Variable base going out of scope leaks the storage it points to.
24. Jumping back to the beginning of the loop
1793 }
1794 ptv->frame_offset = 0;
1795#ifdef HAVE_TPACKET_V3
1796 }
1797#endif
1798
CID 1362014 (#1 of 1): Resource leak (RESOURCE_LEAK)26. leaked_storage: Variable ring_buf going out of scope leaks the storage it points to.
1799 return 0;
1800
1801postmmap_err:
1802 munmap(ring_buf, ring_buflen);
1803 if (ptv->ring_v2)
1804 SCFree(ptv->ring_v2);
1805 if (ptv->ring_v3)
1806 SCFree(ptv->ring_v3);
1807mmap_err:
1808 /* Packet mmap does the cleaning when socket is closed */
1809 return AFP_FATAL_ERROR;
1810}
Updated by Victor Julien over 9 years ago
- Target version changed from 3.1rc1 to 70
Updated by Victor Julien over 8 years ago
Possibly related:
Indirect leak of 560000 byte(s) in 8 object(s) allocated from:
#0 0x7f6d14c3f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7e719c in ReceiveAFPThreadInit /home/victor/dev/suricata/src/source-af-packet.c:2131
#2 0x870e64 in TmThreadsSlotPktAcqLoop /home/victor/dev/suricata/src/tm-threads.c:294
#3 0x7f6d132796b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
Indirect leak of 16640 byte(s) in 8 object(s) allocated from:
#0 0x7f6d14c3f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7e291c in AFPSetupRing /home/victor/dev/suricata/src/source-af-packet.c:1775
#2 0x7e509a in AFPCreateSocket /home/victor/dev/suricata/src/source-af-packet.c:1954
#3 0x7dd458 in ReceiveAFPLoop /home/victor/dev/suricata/src/source-af-packet.c:1333
#4 0x8712fe in TmThreadsSlotPktAcqLoop /home/victor/dev/suricata/src/tm-threads.c:334
#5 0x7f6d132796b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
Updated by Victor Julien over 7 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 4.1beta1
This issue has been fixed.
Actions