Bug #4850
File descriptor leak in tlicall()
Start date:
2014-05-05
Due date:
% Done:
0%
Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
Description
There are two possible file descriptor leaks in tlicall().
Leak 1
Here is the source code:
489 if (setjmp(Sjbuf)) {
490 DEBUG(1, "t_open timeout\\n%s", "");
491 logent("t_open", "TIMEOUT");
492 Uerror = SS_NO_DEVICE;
493 return (FAIL);
494 }
495 (void) signal(SIGALRM, alarmtr);
496 (void) alarm(5);
497 fd = t_open(devname, O_RDWR, &tinfo);
498 (void) alarm(0);
In alarmtr() the longjmp() is called to jump back at line 489.
In a case the alarm timeouts after the file is opened, but before alarm(0) is called, we will leak fd. In addition we might also leak some memory allocated in t_open().
Leak 2
Later in tlicall() there is this code:
504 if (fd_mklock(fd) != SUCCESS) {
505 (void) t_close(fd);
506 DEBUG(1, "tlicall: failed to lock device %s\\n", devname);
507 Uerror = SS_LOCKED_DEVICE;
508 return (FAIL);
509 }
510
511 /* allocate tli structures */
512 errno = t_errno = 0;
513 /* LINTED pointer cast */
514 if ((bind_ret = (struct t_bind *)t_alloc(fd, T_BIND, T_ALL)) == NULL ||
515 /* LINTED pointer cast */
516 (sndcall = (struct t_call *)t_alloc(fd, T_CALL, T_ALL)) == NULL ||
517 /* LINTED pointer cast */
518 (rcvcall = (struct t_call *)t_alloc(fd, T_CALL, T_ALL)) == NULL) {
519 tfaillog(fd, "t_alloc");
520 TFREE(bind_ret, T_BIND);
521 TFREE(sndcall, T_CALL);
522 TFREE(rcvcall, T_CALL);
523 Uerror = SS_NO_DEVICE;
524 return (FAIL);
525 }
There are missing both fd_rmlock() and t_close() calls before line 524.
Related issues