From 8c8941eb297a166aa7b1b915a543bf97b3a63039 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20F=C3=A6r=C3=B8y?= Date: Sat, 23 Jun 2018 00:44:33 +0200 Subject: [PATCH 1/7] Fix potential memory leak in hs_helper_build_intro_point(). This patch fixes a potential memory leak in hs_helper_build_intro_point() where a `goto done` is called before the `intro_point` variable have been assigned to the value of the `ip` variable. See: Coverity CID 1437460 See: Coverity CID 1437456 --- src/test/hs_test_helpers.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/test/hs_test_helpers.c b/src/test/hs_test_helpers.c index 3f0d6a9413..f7e054b1d1 100644 --- a/src/test/hs_test_helpers.c +++ b/src/test/hs_test_helpers.c @@ -85,6 +85,9 @@ hs_helper_build_intro_point(const ed25519_keypair_t *signing_kp, time_t now, intro_point = ip; done: + if (intro_point == NULL) + tor_free(ip); + return intro_point; } From dc2384da30cae716f512dedef37d27f00c43f29d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20F=C3=A6r=C3=B8y?= Date: Sat, 23 Jun 2018 10:27:10 +0200 Subject: [PATCH 2/7] Fix potential memory leak in hs_helper_build_hs_desc_impl(). This patch fixes a memory leak in hs_helper_build_hs_desc_impl() where if a test assertion would fail we would leak the storage that `desc` points to. See: Coverity CID 1437448 --- src/test/hs_test_helpers.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/test/hs_test_helpers.c b/src/test/hs_test_helpers.c index f7e054b1d1..dcd58bc5fd 100644 --- a/src/test/hs_test_helpers.c +++ b/src/test/hs_test_helpers.c @@ -142,6 +142,9 @@ hs_helper_build_hs_desc_impl(unsigned int no_ip, descp = desc; done: + if (descp == NULL) + tor_free(desc); + return descp; } From d86c45bf5cc75a526b884a754d72ef4d11aa0693 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20F=C3=A6r=C3=B8y?= Date: Sat, 23 Jun 2018 10:33:40 +0200 Subject: [PATCH 3/7] Fix memory leak in client_likes_consensus(). This patches fixes a memory leak in client_likes_consensus() where if consensus_cache_entry_get_voter_id_digests() would fail we would return without having free'd the voters list. See: Coverity CID 1437447 --- src/or/directory.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/or/directory.c b/src/or/directory.c index 5ceea2fb32..f52354356d 100644 --- a/src/or/directory.c +++ b/src/or/directory.c @@ -3499,6 +3499,7 @@ client_likes_consensus(const struct consensus_cache_entry_t *ent, int have = 0; if (consensus_cache_entry_get_voter_id_digests(ent, voters) != 0) { + smartlist_free(voters); return 1; // We don't know the voters; assume the client won't mind. */ } From 3d80c086bea3b0d93327c30ac620740b629cb294 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20F=C3=A6r=C3=B8y?= Date: Sat, 23 Jun 2018 11:54:36 +0200 Subject: [PATCH 4/7] Fix memory leak in decode_link_specifiers(). This patch fixes a memory leak in decode_link_specifiers() where the hs_spec variable might leak if the default label is taken in the switch/case expression. See: Coverity CID 1437437. --- src/or/hs_descriptor.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/or/hs_descriptor.c b/src/or/hs_descriptor.c index 938b7a77df..15bdd14d55 100644 --- a/src/or/hs_descriptor.c +++ b/src/or/hs_descriptor.c @@ -864,6 +864,7 @@ decode_link_specifiers(const char *encoded) sizeof(hs_spec->u.legacy_id)); break; default: + tor_free(hs_spec); goto err; } From c997d49ad6e6a360323311444eed1dbee785aea4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20F=C3=A6r=C3=B8y?= Date: Sat, 23 Jun 2018 12:39:20 +0200 Subject: [PATCH 5/7] Fix memory link in test_link_specifier(). This patch fixes a memory leak in test_link_specifier() where ls might not get freed in case one of the test macros fails. See: Coverity CID 1437434. --- src/test/test_hs_descriptor.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/test/test_hs_descriptor.c b/src/test/test_hs_descriptor.c index 97fe1910b8..365683e75c 100644 --- a/src/test/test_hs_descriptor.c +++ b/src/test/test_hs_descriptor.c @@ -376,6 +376,9 @@ test_link_specifier(void *arg) ssize_t ret; hs_desc_link_specifier_t spec; smartlist_t *link_specifiers = smartlist_new(); + char buf[256]; + char *b64 = NULL; + link_specifier_t *ls = NULL; (void) arg; @@ -385,9 +388,7 @@ test_link_specifier(void *arg) /* Test IPv4 for starter. */ { - char *b64, buf[256]; uint32_t ipv4; - link_specifier_t *ls; spec.type = LS_IPV4; ret = tor_addr_parse(&spec.u.ap.addr, "1.2.3.4"); @@ -414,9 +415,7 @@ test_link_specifier(void *arg) /* Test IPv6. */ { - char *b64, buf[256]; uint8_t ipv6[16]; - link_specifier_t *ls; spec.type = LS_IPV6; ret = tor_addr_parse(&spec.u.ap.addr, "[1:2:3:4::]"); @@ -445,9 +444,7 @@ test_link_specifier(void *arg) /* Test legacy. */ { - char *b64, buf[256]; uint8_t *id; - link_specifier_t *ls; spec.type = LS_LEGACY_ID; memset(spec.u.legacy_id, 'Y', sizeof(spec.u.legacy_id)); @@ -473,6 +470,8 @@ test_link_specifier(void *arg) } done: + link_specifier_free(ls); + tor_free(b64); smartlist_free(link_specifiers); } From 8550016e6f5e2780259f5073e34e67708e4e87ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20F=C3=A6r=C3=B8y?= Date: Sat, 23 Jun 2018 12:52:04 +0200 Subject: [PATCH 6/7] Fix memory leak in test_channelpadding_consensus(). The relay variable is always allocated, but might not be freed before we return from this function. See: Coverity CID 1437431 --- src/test/test_channelpadding.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/test/test_channelpadding.c b/src/test/test_channelpadding.c index d54c9cc52c..0bc9699feb 100644 --- a/src/test/test_channelpadding.c +++ b/src/test/test_channelpadding.c @@ -745,6 +745,8 @@ test_channelpadding_consensus(void *arg) tt_i64_op(val, OP_LE, 24*60*60*2); done: + tor_free(relay); + free_mock_consensus(); free_fake_channeltls((channel_tls_t*)chan); smartlist_free(connection_array); From 890bc15ab641f1c22a39b9a86de656a4e3a2d225 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 29 Jun 2018 13:04:29 -0400 Subject: [PATCH 7/7] Changes file for 26467 --- changes/ticket26467 | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changes/ticket26467 diff --git a/changes/ticket26467 b/changes/ticket26467 new file mode 100644 index 0000000000..45883786c2 --- /dev/null +++ b/changes/ticket26467 @@ -0,0 +1,3 @@ + o Minor bugfixes (memory, correctness): + - Fix a number of small memory leaks identified by coverity. Fixes + bug 26467; bugfix on numerous Tor versions.