From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:57508)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <meyering@meyering.net>) id 1T49Y9-0002SK-MM
	for qemu-devel@nongnu.org; Wed, 22 Aug 2012 07:56:42 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <meyering@meyering.net>) id 1T49Y8-0004MA-NZ
	for qemu-devel@nongnu.org; Wed, 22 Aug 2012 07:56:41 -0400
Received: from mx.meyering.net ([88.168.87.75]:45307 helo=hx.meyering.net)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <meyering@meyering.net>) id 1T49Y8-0004M3-Cg
	for qemu-devel@nongnu.org; Wed, 22 Aug 2012 07:56:40 -0400
From: Jim Meyering <jim@meyering.net>
Date: Wed, 22 Aug 2012 13:55:53 +0200
Message-Id: <1345636556-29008-3-git-send-email-jim@meyering.net>
In-Reply-To: <1345636556-29008-1-git-send-email-jim@meyering.net>
References: <1345636556-29008-1-git-send-email-jim@meyering.net>
Subject: [Qemu-devel] [PATCHv3 2/5] linux-user: do_msgrcv: don't leak
	host_mb upon TARGET_EFAULT failure
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Jim Meyering <meyering@redhat.com>

From: Jim Meyering <meyering@redhat.com>

Also, use g_malloc to avoid NULL-deref upon OOM.

Signed-off-by: Jim Meyering <meyering@redhat.com>
---
 linux-user/syscall.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 41c869b..1174306 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2848,7 +2848,7 @@ static inline abi_long do_msgrcv(int msqid, abi_long msgp,
     if (!lock_user_struct(VERIFY_WRITE, target_mb, msgp, 0))
         return -TARGET_EFAULT;

-    host_mb = malloc(msgsz+sizeof(long));
+    host_mb = g_malloc(msgsz+sizeof(long));
     ret = get_errno(msgrcv(msqid, host_mb, msgsz, tswapal(msgtyp), msgflg));

     if (ret > 0) {
@@ -2863,11 +2863,11 @@ static inline abi_long do_msgrcv(int msqid, abi_long msgp,
     }

     target_mb->mtype = tswapal(host_mb->mtype);
-    free(host_mb);

 end:
     if (target_mb)
         unlock_user_struct(target_mb, msgp, 1);
+    g_free(host_mb);
     return ret;
 }

-- 
1.7.12