memory leak in find_items_1_reply

The find_items_1_reply function in library/gnome_keyring.c calls dbus_message_get_args, which allocates the two arrays "locked" and "unlocked". These are not properly freed.

The underlying dbus implementation allocates these as null-terminated arrays, hence they are always allocated even when the number of items is 0. This may be confirmed by reading the code:

http://cgit.freedesktop.org/dbus/dbus/tree/dbus/dbus-message.c

Note in particular lines 855 and following.

Unfortunately the find_items_1_reply function has an early out in the case where n_locked and n_unlocked are both 0, so the trivial arrays are not properly freed.

Additionally, there is an early out in the case when dbus_message_get_args returns an error. Again, it looks like it is possible for one of the arrays to be allocated but not the other, or some other strange outcome, if there is an error inside the dbus_message_get_args function. Please consult the above-referenced code to confirm.

Here is a valgrind log of nm-applet which shows the problem in action:

==10301== 144 bytes in 18 blocks are definitely lost in loss record 8,167 of 9,326
==10301== at 0x4C279FC: calloc (vg_replace_malloc.c:467)
==10301== by 0x847138B: _dbus_message_iter_get_args_valist (dbus-message.c:855)
==10301== by 0x84715D9: dbus_message_get_args_valist (dbus-message.c:1872)
==10301== by 0x84716FD: dbus_message_get_args (dbus-message.c:1844)
==10301== by 0x5B1A9E2: find_items_1_reply (gnome-keyring.c:2265)
==10301== by 0x5B14D9B: on_pending_call_notify (gkr-operation.c:352)
==10301== by 0x8464579: complete_pending_call_and_unlock (dbus-connection.c:2308)
==10301== by 0x8466AC9: check_for_reply_and_update_dispatch_unlocked (dbus-connection.c:2327)
==10301== by 0x84680BE: _dbus_connection_block_pending_call (dbus-connection.c:2438)
==10301== by 0x5B14E15: gkr_operation_block_and_unref (gkr-operation.c:397)
==10301== by 0x5B1CEBC: gnome_keyring_find_itemsv_sync (gnome-keyring.c:2510)
==10301== by 0x44042F: copy_one_private_key_password (gconf-upgrade.c:1942)
==10301== by 0x443F0D: nm_gconf_migrate_0_7_certs (gconf-upgrade.c:2003)
==10301== by 0x43F862: nm_gconf_get_all_connections (gconf-helpers.c:1695)
==10301== by 0x4465A5: read_connections (nma-gconf-settings.c:234)
==10301== by 0x44665E: list_connections (nma-gconf-settings.c:270)
==10301== by 0x52701D1: impl_settings_list_connections (nm-settings-service.c:107)
==10301== by 0x526FEBB: dbus_glib_marshal_nm_settings_BOOLEAN__POINTER_POINTER (nm-settings-glue.h:97)
==10301== by 0x6584C4C: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==10301== by 0x8475A00: _dbus_object_tree_dispatch_and_unlock (dbus-object-tree.c:858)
==10301== by 0x8467B0F: dbus_connection_dispatch (dbus-connection.c:4688)
==10301== by 0x6582654: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==10301== by 0x8F5BBCC: g_main_context_dispatch (gmain.c:2440)
==10301== by 0x8F5C3A7: g_main_context_iterate.clone.6 (gmain.c:3091)
==10301== by 0x8F5C9F1: g_main_loop_run (gmain.c:3299)
==10301== by 0x416D77: main (main.c:101)