From 6267faa646db0edb3340aaa3d4c12eec028b9e63 Mon Sep 17 00:00:00 2001 From: Jeremy Kerr Date: Sat, 23 Sep 2023 09:44:50 -0700 Subject: [PATCH] mi-mctp: Fix free() in error path of mi_open_mctp MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If the malloc of our struct nvme_mi_transport_mctp fails, we'll attempt to free ->rsp_buf of this (now zero) pointer. Instead, structure the error path to progressively undo the initialisation operations. This means we'll need to save the errno at the site of each possible failure. In doing this, add a comment to the call to nvme_mi_close(), just to clarify behaviour with regards to the cleanups through that path. Reported-by: Barnabás Pőcze Signed-off-by: Jeremy Kerr --- src/nvme/mi-mctp.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/src/nvme/mi-mctp.c b/src/nvme/mi-mctp.c index 31462173..86c4c29e 100644 --- a/src/nvme/mi-mctp.c +++ b/src/nvme/mi-mctp.c @@ -472,23 +472,29 @@ nvme_mi_ep_t nvme_mi_open_mctp(nvme_root_t root, unsigned int netid, __u8 eid) return NULL; mctp = malloc(sizeof(*mctp)); - if (!mctp) - goto err_free_ep; + if (!mctp) { + errno_save = errno; + goto err_close_ep; + } memset(mctp, 0, sizeof(*mctp)); mctp->sd = -1; mctp->resp_buf_size = 4096; mctp->resp_buf = malloc(mctp->resp_buf_size); - if (!mctp->resp_buf) - goto err_free_ep; + if (!mctp->resp_buf) { + errno_save = errno; + goto err_free_mctp; + } mctp->net = netid; mctp->eid = eid; mctp->sd = ops.socket(AF_MCTP, SOCK_DGRAM, 0); - if (mctp->sd < 0) - goto err_free_ep; + if (mctp->sd < 0) { + errno_save = errno; + goto err_free_rspbuf; + } ep->transport = &nvme_mi_transport_mctp; ep->transport_data = mctp; @@ -504,11 +510,14 @@ nvme_mi_ep_t nvme_mi_open_mctp(nvme_root_t root, unsigned int netid, __u8 eid) return ep; -err_free_ep: - errno_save = errno; - nvme_mi_close(ep); +err_free_rspbuf: free(mctp->resp_buf); +err_free_mctp: free(mctp); +err_close_ep: + /* the ep->transport is not set yet, so this will not call back + * into nvme_mi_mctp_close() */ + nvme_mi_close(ep); errno = errno_save; return NULL; } -- 2.50.1