From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34877)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <somlo@cmu.edu>) id 1YXVne-00056u-0p
	for qemu-devel@nongnu.org; Mon, 16 Mar 2015 10:15:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <somlo@cmu.edu>) id 1YXVnT-0003Fo-8g
	for qemu-devel@nongnu.org; Mon, 16 Mar 2015 10:15:21 -0400
Received: from relay-05.andrew.cmu.edu ([128.2.157.12]:47909
	helo=relay.andrew.cmu.edu) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <somlo@cmu.edu>) id 1YXVnT-0003Ey-4r
	for qemu-devel@nongnu.org; Mon, 16 Mar 2015 10:15:11 -0400
From: "Gabriel L. Somlo" <somlo@cmu.edu>
Date: Mon, 16 Mar 2015 10:15:02 -0400
Message-Id: <1426515305-17766-4-git-send-email-somlo@cmu.edu>
In-Reply-To: <1426515305-17766-1-git-send-email-somlo@cmu.edu>
References: <1426515305-17766-1-git-send-email-somlo@cmu.edu>
Subject: [Qemu-devel] [PATCH 3/6] fw_cfg: assertion to detect memory leak
	when adding new data blob
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: matt.fleming@intel.com, rjones@redhat.com, jordan.l.justen@intel.com, gleb@cloudius-systems.com, mdroth@linux.vnet.ibm.com, gsomlo@gmail.com, kraxel@redhat.com, pbonzini@redhat.com, lersek@redhat.com

Currently, fw_cfg_add_bytes_read_callback() does not deal with
the possibility that the data pointer at the requested key position
has previously been set, and assumes it will be called exactly once
for each key value.

This patch introduces an assertion to codify this assumption, and
insure the data pointer about to be set is NULL at the time the
function is called, which will prevent the inadvertent leaking of
data blobs by erroneous multiple calls using the same key value.

Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
---
 hw/nvram/fw_cfg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
index 86090f3..5501a97 100644
--- a/hw/nvram/fw_cfg.c
+++ b/hw/nvram/fw_cfg.c
@@ -399,6 +399,7 @@ static void fw_cfg_add_bytes_read_callback(FWCfgState *s, uint16_t key,
     key &= FW_CFG_ENTRY_MASK;
 
     assert(key < FW_CFG_MAX_ENTRY && len < UINT32_MAX);
+    assert(s->entries[arch][key].data == NULL); /* prevent memory leak */
 
     s->entries[arch][key].data = data;
     s->entries[arch][key].len = (uint32_t)len;
-- 
2.1.0