Skip to content

Address memory leaks/mitigate buffer overflows #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
igoropaniuk wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Address memory leaks/mitigate buffer overflows #161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
eec6e64
gpt: mitigate buffer overflow risk for lba buffer
igoropaniuk Nov 28, 2025
6365bf3
firehose: check malloc() return value for a sector buffer
igoropaniuk Nov 28, 2025
3efa6a2
util: check malloc return value in load_sahara_image()
igoropaniuk Nov 28, 2025
df9dd37
qdl: properly free all resources in decode_programmer_archive()
igoropaniuk Nov 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions firehose.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -371,6 +371,11 @@ static int firehose_try_configure(struct qdl_device *qdl, bool skip_storage_init
if (storage != QDL_STORAGE_NAND) {
max_sector_size = sector_sizes[ARRAY_SIZE(sector_sizes) - 1];
buf = malloc(max_sector_size);
if (!buf) {
ux_err("failed to allocate sector buffer\n");
return -1;
}

memset(&op, 0, sizeof(op));
op.partition = 0;
op.start_sector = "1";
Expand All @@ -390,6 +395,8 @@ static int firehose_try_configure(struct qdl_device *qdl, bool skip_storage_init
break;
}
}

free(buf);
Copy link
Collaborator

@andersson andersson Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think replacing the malloc() with alloca() would be cleaner, then we don't have to explicitly free the memory (and we don't need the NULL check...)

}

if (qdl->sector_size)
Expand Down
7 changes: 4 additions & 3 deletions gpt.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
#include <assert.h>
#include <dirent.h>
#include <fcntl.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdint.h>
#include <unistd.h>
Expand Down Expand Up @@ -140,8 +141,8 @@ static int gpt_load_table_from_partition(struct qdl_device *qdl, unsigned int ph
uint8_t buf[4096];
struct read_op op;
unsigned int offset;
unsigned int lba;
char lba_buf[10];
uint64_t lba;
char lba_buf[21];
uint16_t name_utf16le[36];
char name[36 * 4];
int ret;
Expand Down Expand Up @@ -178,7 +179,7 @@ static int gpt_load_table_from_partition(struct qdl_device *qdl, unsigned int ph

if (offset == 0) {
lba = gpt.part_entry_lba + i * gpt.part_entry_size / qdl->sector_size;
sprintf(lba_buf, "%u", lba);
snprintf(lba_buf, sizeof(lba_buf), "%" PRIu64, lba);
op.start_sector = lba_buf;

memset(buf, 0, sizeof(buf));
Expand Down
50 changes: 39 additions & 11 deletions qdl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,20 +171,22 @@ static int decode_programmer_archive(struct sahara_image *images)
void *ptr = blob->ptr;
void *end = blob->ptr + blob->len;
long id;
int ret;

if (blob->len < sizeof(*hdr) || memcmp(ptr, CPIO_MAGIC, 6))
return 0;

ret = -1;
for (;;) {
if (ptr + sizeof(*hdr) > end) {
ux_err("programmer archive is truncated\n");
return -1;
break;
}
hdr = ptr;

if (memcmp(hdr->c_magic, "070701", 6)) {
ux_err("expected cpio header in programmer archive\n");
return -1;
break;
}

filesize = parse_ascii_hex32(hdr->c_filesize);
Expand All @@ -193,44 +195,70 @@ static int decode_programmer_archive(struct sahara_image *images)
ptr += sizeof(*hdr);
if (ptr + namesize > end || ptr + filesize + namesize > end) {
ux_err("programmer archive is truncated\n");
return -1;
break;
}

if (namesize > sizeof(name)) {
ux_err("unexpected filename length in progammer archive\n");
return -1;
break;
}
memcpy(name, ptr, namesize);

if (!memcmp(name, "TRAILER!!!", 11))
if (!memcmp(name, "TRAILER!!!", 11)) {
ret = 1;
break;
}

tok = strtok_r(name, ":", &save);
id = strtoul(tok, NULL, 0);
if (id == 0 || id >= MAPPING_SZ) {
ux_err("invalid image id \"%s\" in programmer archive\n", tok);
return -1;
break;
}

ptr += namesize;
ptr = ALIGN_UP(ptr, 4);

tok = strtok_r(NULL, ":", &save);
if (tok)
if (tok) {
images[id].name = strdup(tok);
if (!images[id].name) {
ux_err("failed to allocated buffer for an image name\n");
break;
}
}
images[id].len = filesize;
images[id].ptr = malloc(filesize);
if (!images[id].ptr) {
ux_err("failed to allocated buffer for an image, len = %z\n", images[id].len);
break;
}
memcpy(images[id].ptr, ptr, filesize);

ptr += filesize;
ptr = ALIGN_UP(ptr, 4);
}

free(blob->ptr);
blob->ptr = NULL;
blob->len = 0;
/*
* even if some images aren't initialized, it's safe to enumerate over each
* image and try to free, as otherwise image[i] will be filled with zeros.
Copy link
Collaborator

@andersson andersson Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If needed, this would better be added to the comment above the function, stating that the images array must be zero-initialized (but I don't think it's necessary to document that).

*
* first image isn't freed if error occurred
Copy link
Contributor

@lumag lumag Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why?

Copy link
Collaborator

@andersson andersson Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The kernel-doc answers this question... making this comment a bit weird.

*/
for (size_t i = 0; i < MAPPING_SZ; i++) {
if (ret != 1 && i == 0)
Copy link
Collaborator

@andersson andersson Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see if you can write this in a less clever way, or perhaps add the comment here.

continue;

return 1;
if (images[i].ptr)
Copy link
Collaborator

@andersson andersson Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Calling free(NULL) is valid, so no need for the extra conditionals.

free(images[i].ptr);
if (images[i].name)
free((void *)images[i].name);
Copy link
Collaborator

@andersson andersson Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps drop the const instead of type casting here?

images[i].ptr = NULL;
images[i].name = NULL;
images[i].len = 0;
}

return ret;
}

/**
Expand Down
4 changes: 4 additions & 0 deletions util.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,10 @@ int load_sahara_image(const char *filename, struct sahara_image *image)
lseek(fd, 0, SEEK_SET);

ptr = malloc(len);
if (!ptr) {
ux_err("failed to init buffer for content of \"%s\"\n", filename);
goto err_close;
}

n = read(fd, ptr, len);
if (n != len) {
Expand Down
Loading