From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Possible memory leak in auparse_interpret_sock_parts() Date: Fri, 21 Jun 2019 09:11:07 -0400 Message-ID: <5831426.LfvxvhjaId@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Tarun Ramesh List-Id: linux-audit@redhat.com On Friday, June 21, 2019 7:34:12 AM EDT Tarun Ramesh wrote: > Hi, > > In the function auparse_interpret_sock_parts() in auparse/auparse.c, for > the line: > const char *val = nvlist_interp_cur_val(r, au->escape_mode); > > I see that the function nvlist_interp_cur_val() eventually calls > auparse_do_interpretation() which has the comment "Returns a malloc'ed > buffer that the caller must free" > The call path is: > nvlist_interp_cur_val() -> interpret() -> auparse_do_interpretation() > > In auparse_interpret_sock_parts(): > const char *val = nvlist_interp_cur_val(r, au->escape_mode); > is called and then the value of 'val' is overwritten by: > val = strstr(tmp, field); > > The initial memory pointed to by 'val' is never freed, which might be a > memory leak. > Please let me know if I;m missing something. nvlist_interp_cur_val() maintains custody of that chunk of memory and frees it when the list is cleared. I have a testcase for this and valgrind is showing no leaks. -Steve