All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/4] uintset: Fix memory leak in l_uintset_new_from_range
@ 2015-10-21 21:13 Szymon Janc
  2015-10-21 21:13 ` [PATCH 2/4] ringbuf: Remove dead code Szymon Janc
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Szymon Janc @ 2015-10-21 21:13 UTC (permalink / raw)
  To: ell

[-- Attachment #1: Type: text/plain, Size: 713 bytes --]

Allocate ret only after checking size parameter.
---
 ell/uintset.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ell/uintset.c b/ell/uintset.c
index 3d9c8e3..4547ac9 100644
--- a/ell/uintset.c
+++ b/ell/uintset.c
@@ -149,12 +149,13 @@ struct l_uintset {
 LIB_EXPORT struct l_uintset *l_uintset_new_from_range(uint32_t min,
 								uint32_t max)
 {
-	struct l_uintset *ret = l_new(struct l_uintset, 1);
+	struct l_uintset *ret;
 	unsigned int size = max - min + 1;
 
 	if (size > USHRT_MAX)
 		return NULL;
 
+	ret = l_new(struct l_uintset, 1);
 	ret->bits = l_new(unsigned long,
 				(size + BITS_PER_LONG - 1) / BITS_PER_LONG);
 	ret->size = size;
-- 
2.6.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH 2/4] ringbuf: Remove dead code
  2015-10-21 21:13 [PATCH 1/4] uintset: Fix memory leak in l_uintset_new_from_range Szymon Janc
@ 2015-10-21 21:13 ` Szymon Janc
  2015-10-21 21:13 ` [PATCH 3/4] unit: Add tests for NULL set in uintset Szymon Janc
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Szymon Janc @ 2015-10-21 21:13 UTC (permalink / raw)
  To: ell

[-- Attachment #1: Type: text/plain, Size: 601 bytes --]

l_malloc cannot fail if size>0.
---
 ell/ringbuf.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/ell/ringbuf.c b/ell/ringbuf.c
index 9049618..4f1f280 100644
--- a/ell/ringbuf.c
+++ b/ell/ringbuf.c
@@ -93,14 +93,7 @@ LIB_EXPORT struct l_ringbuf *l_ringbuf_new(size_t size)
 	real_size = align_power2(size);
 
 	ringbuf = l_new(struct l_ringbuf, 1);
-	if (!ringbuf)
-		return NULL;
-
 	ringbuf->buffer = l_malloc(real_size);
-	if (!ringbuf->buffer) {
-		l_free(ringbuf);
-		return NULL;
-	}
 
 	ringbuf->size = real_size;
 	ringbuf->in = RINGBUF_RESET;
-- 
2.6.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH 3/4] unit: Add tests for NULL set in uintset
  2015-10-21 21:13 [PATCH 1/4] uintset: Fix memory leak in l_uintset_new_from_range Szymon Janc
  2015-10-21 21:13 ` [PATCH 2/4] ringbuf: Remove dead code Szymon Janc
@ 2015-10-21 21:13 ` Szymon Janc
  2015-10-21 21:13 ` [PATCH 4/4] uintset: Fix crash on NULL set Szymon Janc
  2015-10-21 23:25 ` [PATCH 1/4] uintset: Fix memory leak in l_uintset_new_from_range Denis Kenzior
  3 siblings, 0 replies; 5+ messages in thread
From: Szymon Janc @ 2015-10-21 21:13 UTC (permalink / raw)
  To: ell

[-- Attachment #1: Type: text/plain, Size: 629 bytes --]

---
 unit/test-uintset.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/unit/test-uintset.c b/unit/test-uintset.c
index 7e17113..8d83a2a 100644
--- a/unit/test-uintset.c
+++ b/unit/test-uintset.c
@@ -25,6 +25,7 @@
 #endif
 
 #include <assert.h>
+#include <limits.h>
 
 #include <ell/ell.h>
 
@@ -34,6 +35,10 @@ static void test_uintset(const void *data)
 	int i;
 	bool r;
 
+	assert(l_uintset_get_min(NULL) == UINT_MAX);
+	assert(l_uintset_find_max(NULL) == UINT_MAX);
+	assert(l_uintset_find_min(NULL) == UINT_MAX);
+
 	set = l_uintset_new_from_range(1, 76);
 	assert(set);
 
-- 
2.6.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH 4/4] uintset: Fix crash on NULL set
  2015-10-21 21:13 [PATCH 1/4] uintset: Fix memory leak in l_uintset_new_from_range Szymon Janc
  2015-10-21 21:13 ` [PATCH 2/4] ringbuf: Remove dead code Szymon Janc
  2015-10-21 21:13 ` [PATCH 3/4] unit: Add tests for NULL set in uintset Szymon Janc
@ 2015-10-21 21:13 ` Szymon Janc
  2015-10-21 23:25 ` [PATCH 1/4] uintset: Fix memory leak in l_uintset_new_from_range Denis Kenzior
  3 siblings, 0 replies; 5+ messages in thread
From: Szymon Janc @ 2015-10-21 21:13 UTC (permalink / raw)
  To: ell

[-- Attachment #1: Type: text/plain, Size: 2162 bytes --]

This fix NULL pointer dereferences in l_uintset_find_* functions.

With NULL set it is impossible to return l_uintset_get_max(set) + 1
without ambiguous return value. Return UINT_MAX for such cases.
---
 ell/uintset.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/ell/uintset.c b/ell/uintset.c
index 4547ac9..e3d7ede 100644
--- a/ell/uintset.c
+++ b/ell/uintset.c
@@ -314,14 +314,15 @@ LIB_EXPORT uint32_t l_uintset_get_max(struct l_uintset *set)
  * @set: The set of numbers
  *
  * Returns: The minimum number that is not preset in the set.  If the set of
- * numbers is fully populated, returns l_uintset_get_max(set) + 1.
+ * numbers is fully populated, returns l_uintset_get_max(set) + 1. If @set is
+ * NULL returns UINT_MAX.
  **/
 LIB_EXPORT uint32_t l_uintset_find_unused_min(struct l_uintset *set)
 {
 	unsigned int bit;
 
 	if (unlikely(!set))
-		return set->max + 1;
+		return UINT_MAX;
 
 	bit = find_first_zero_bit(set->bits, set->size);
 
@@ -336,14 +337,14 @@ LIB_EXPORT uint32_t l_uintset_find_unused_min(struct l_uintset *set)
  * @set: The set of numbers
  *
  * Returns: The maximum number preset in the set.  If the set of numbers is
- * empty, or on error, returns l_uintset_get_max(set) + 1.
+ * empty returns l_uintset_get_max(set) + 1. If @set is NULL returns UINT_MAX.
  **/
 LIB_EXPORT uint32_t l_uintset_find_max(struct l_uintset *set)
 {
 	unsigned int bit;
 
 	if (unlikely(!set))
-		return set->max + 1;
+		return UINT_MAX;
 
 	bit = find_last_bit(set->bits, set->size);
 
@@ -358,14 +359,14 @@ LIB_EXPORT uint32_t l_uintset_find_max(struct l_uintset *set)
  * @set: The set of numbers
  *
  * Returns: The minimum number preset in the set.  If the set of numbers is
- * empty, or on error, returns l_uintset_get_max(set) + 1.
+ * empty returns l_uintset_get_max(set) + 1. If @set is NULL returns UINT_MAX.
  **/
 LIB_EXPORT uint32_t l_uintset_find_min(struct l_uintset *set)
 {
 	unsigned int bit;
 
 	if (unlikely(!set))
-		return set->max + 1;
+		return UINT_MAX;
 
 	bit = find_first_bit(set->bits, set->size);
 
-- 
2.6.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/4] uintset: Fix memory leak in l_uintset_new_from_range
  2015-10-21 21:13 [PATCH 1/4] uintset: Fix memory leak in l_uintset_new_from_range Szymon Janc
                   ` (2 preceding siblings ...)
  2015-10-21 21:13 ` [PATCH 4/4] uintset: Fix crash on NULL set Szymon Janc
@ 2015-10-21 23:25 ` Denis Kenzior
  3 siblings, 0 replies; 5+ messages in thread
From: Denis Kenzior @ 2015-10-21 23:25 UTC (permalink / raw)
  To: ell

[-- Attachment #1: Type: text/plain, Size: 301 bytes --]

Hi Szymon,

On 10/21/2015 04:13 PM, Szymon Janc wrote:
> Allocate ret only after checking size parameter.
> ---
>   ell/uintset.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>

All four applied.  Some of the mistakes fixed were embarassing :(

Thanks!

Regards,
-Denis


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-10-21 23:25 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-21 21:13 [PATCH 1/4] uintset: Fix memory leak in l_uintset_new_from_range Szymon Janc
2015-10-21 21:13 ` [PATCH 2/4] ringbuf: Remove dead code Szymon Janc
2015-10-21 21:13 ` [PATCH 3/4] unit: Add tests for NULL set in uintset Szymon Janc
2015-10-21 21:13 ` [PATCH 4/4] uintset: Fix crash on NULL set Szymon Janc
2015-10-21 23:25 ` [PATCH 1/4] uintset: Fix memory leak in l_uintset_new_from_range Denis Kenzior

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.