memory leak in find_items_1_reply

Bug #784788 reported by JKL
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libgnome-keyring (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The find_items_1_reply function in library/gnome_keyring.c calls dbus_message_get_args, which allocates the two arrays "locked" and "unlocked". These are not properly freed.

The underlying dbus implementation allocates these as null-terminated arrays, hence they are always allocated even when the number of items is 0. This may be confirmed by reading the code:

http://cgit.freedesktop.org/dbus/dbus/tree/dbus/dbus-message.c

Note in particular lines 855 and following.

Unfortunately the find_items_1_reply function has an early out in the case where n_locked and n_unlocked are both 0, so the trivial arrays are not properly freed.

Additionally, there is an early out in the case when dbus_message_get_args returns an error. Again, it looks like it is possible for one of the arrays to be allocated but not the other, or some other strange outcome, if there is an error inside the dbus_message_get_args function. Please consult the above-referenced code to confirm.

Here is a valgrind log of nm-applet which shows the problem in action:

==10301== 144 bytes in 18 blocks are definitely lost in loss record 8,167 of 9,326
==10301== at 0x4C279FC: calloc (vg_replace_malloc.c:467)
==10301== by 0x847138B: _dbus_message_iter_get_args_valist (dbus-message.c:855)
==10301== by 0x84715D9: dbus_message_get_args_valist (dbus-message.c:1872)
==10301== by 0x84716FD: dbus_message_get_args (dbus-message.c:1844)
==10301== by 0x5B1A9E2: find_items_1_reply (gnome-keyring.c:2265)
==10301== by 0x5B14D9B: on_pending_call_notify (gkr-operation.c:352)
==10301== by 0x8464579: complete_pending_call_and_unlock (dbus-connection.c:2308)
==10301== by 0x8466AC9: check_for_reply_and_update_dispatch_unlocked (dbus-connection.c:2327)
==10301== by 0x84680BE: _dbus_connection_block_pending_call (dbus-connection.c:2438)
==10301== by 0x5B14E15: gkr_operation_block_and_unref (gkr-operation.c:397)
==10301== by 0x5B1CEBC: gnome_keyring_find_itemsv_sync (gnome-keyring.c:2510)
==10301== by 0x44042F: copy_one_private_key_password (gconf-upgrade.c:1942)
==10301== by 0x443F0D: nm_gconf_migrate_0_7_certs (gconf-upgrade.c:2003)
==10301== by 0x43F862: nm_gconf_get_all_connections (gconf-helpers.c:1695)
==10301== by 0x4465A5: read_connections (nma-gconf-settings.c:234)
==10301== by 0x44665E: list_connections (nma-gconf-settings.c:270)
==10301== by 0x52701D1: impl_settings_list_connections (nm-settings-service.c:107)
==10301== by 0x526FEBB: dbus_glib_marshal_nm_settings_BOOLEAN__POINTER_POINTER (nm-settings-glue.h:97)
==10301== by 0x6584C4C: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==10301== by 0x8475A00: _dbus_object_tree_dispatch_and_unlock (dbus-object-tree.c:858)
==10301== by 0x8467B0F: dbus_connection_dispatch (dbus-connection.c:4688)
==10301== by 0x6582654: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==10301== by 0x8F5BBCC: g_main_context_dispatch (gmain.c:2440)
==10301== by 0x8F5C3A7: g_main_context_iterate.clone.6 (gmain.c:3091)
==10301== by 0x8F5C9F1: g_main_loop_run (gmain.c:3299)
==10301== by 0x416D77: main (main.c:101)

Revision history for this message
JKL (jkl102001) wrote :
Revision history for this message
JKL (jkl102001) wrote :

Fixed upstream.

Changed in libgnome-keyring (Ubuntu):
status: New → Fix Committed
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

This made it in Oneiric (including subsequent fix of the introduced crasher related to that fix), AFAICT we can mark this Fix Released now.

FWIW:
libgnome-keyring (3.0.2-2) unstable; urgency=low

  * Add 01-fix-crash-from-memleak-fix.patch: Fix crash from recent memleak
    fix. (See GNOME #650840)

libgnome-keyring (3.0.2-1) unstable; urgency=low

  [ Jordi Mallach ]
  * Add a libgnome-keyring0-dbg package (closes: #576231).

  [ Martin Pitt ]
  * New upstream release.
  * debian/rules: Run upstream test suite during build.

Changed in libgnome-keyring (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.