From: Jeff King <peff@peff.net>
To: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Cc: Git Mailing List <git@vger.kernel.org>,
Tay Ray Chuan <rctay89@gmail.com>
Subject: Re: Possibly solved invalid free() in git-remote-http from Git 1.7.2.1
Date: Mon, 1 Aug 2011 12:00:19 -0600 [thread overview]
Message-ID: <20110801180018.GA10636@sigill.intra.peff.net> (raw)
In-Reply-To: <CACBZZX5N0DaSrU6rxW=PTMQ8b6c_sxMFJQHMaZy1L138eFFo6w@mail.gmail.com>
On Mon, Aug 01, 2011 at 05:42:54PM +0200, Ævar Arnfjörð Bjarmason wrote:
> On Mon, Aug 1, 2011 at 17:39, Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
> > On Mon, Aug 1, 2011 at 17:22, Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
> >> In case anyone would like to look into this I had this undiagnosed
> >> free() error from git-remote-http in git version 1.7.2.1:
> >
> > Actually this is still an issue in master, CC-ing Tay who introduced
> > this error.
> >
> > This evil hack would get around it most of the time, but would
> > introduce another race condition:
>
> *brainfart*. This would be better:
>
> diff --git a/http.c b/http.c
> index a1ea3db..c5da23a 100644
> --- a/http.c
> +++ b/http.c
> @@ -1298,7 +1298,7 @@ struct http_object_request
> *new_http_object_request(const char *base_url,
> if (ftruncate(freq->localfile, 0) < 0) {
> error("Couldn't truncate temporary
> file %s: %s",
> freq->tmpfile, strerror(errno));
> - goto abort;
> + goto abort_url;
> }
> }
> }
> @@ -1328,9 +1328,10 @@ struct http_object_request
> *new_http_object_request(const char *base_url,
>
> return freq;
>
> +abort_url:
> + free(freq->url);
> abort:
> free(filename);
> - free(freq->url);
> free(freq);
> return NULL;
Hmm. The memory management in the function seems weird to me.
Why do we free filename only on abort? Are we leaking it otherwise? Even
weirder, AFAICT, filename can only ever point to the static buffer
returned by sha1_file_name. So it should _never_ be freed. And I'm
surprised glibc's free() checker isn't complaining about that. Am I
reading it wrong?
With respect to freq->url, from your patch I expected that some code
paths would allocate it on the heap, and some would not. But it looks
like there is only one spot, and the problem is that freq is filled with
uninitialized cruft. Wouldn't it be simpler to just s/xmalloc/xcalloc/,
and then you know all of the pointers are initialized properly to NULL?
You can also get rid of the memset-to-zero later in the function.
-Peff
next prev parent reply other threads:[~2011-08-01 18:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-01 15:22 Possibly solved invalid free() in git-remote-http from Git 1.7.2.1 Ævar Arnfjörð Bjarmason
2011-08-01 15:39 ` Ævar Arnfjörð Bjarmason
2011-08-01 15:42 ` Ævar Arnfjörð Bjarmason
2011-08-01 18:00 ` Jeff King [this message]
2011-08-02 2:51 ` Tay Ray Chuan
2011-08-02 3:33 ` Jeff King
2011-08-03 11:54 ` [PATCH] http.c: fix an invalid free() Tay Ray Chuan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110801180018.GA10636@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=rctay89@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).