From 7e15cb2712c6ad52fe488e6c0fcf4a71079c5b20 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Tue, 31 Jul 2018 16:58:12 +0200 Subject: [PATCH 3/6] Fix RESOURCE LEAK in http.c found by Coverity Error: RESOURCE_LEAK (CWE-772): wget-1.19.5/src/http.c:4486: alloc_fn: Storage is returned from allocation function "url_string". wget-1.19.5/src/url.c:2248:3: alloc_fn: Storage is returned from allocation function "xmalloc". wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc". wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)". wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p". wget-1.19.5/src/url.c:2248:3: var_assign: Assigning: "result" = "xmalloc(size)". wget-1.19.5/src/url.c:2248:3: var_assign: Assigning: "p" = "result". wget-1.19.5/src/url.c:2250:3: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] wget-1.19.5/src/url.c:2253:7: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] wget-1.19.5/src/url.c:2257:11: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] wget-1.19.5/src/url.c:2264:3: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] wget-1.19.5/src/url.c:2270:7: identity_transfer: Passing "p" as argument 1 to function "number_to_string", which returns an offset off that argument. wget-1.19.5/src/utils.c:1776:11: var_assign_parm: Assigning: "p" = "buffer". wget-1.19.5/src/utils.c:1847:3: return_var: Returning "p", which is a copy of a parameter. wget-1.19.5/src/url.c:2270:7: noescape: Resource "p" is not freed or pointed-to in function "number_to_string". wget-1.19.5/src/utils.c:1774:25: noescape: "number_to_string(char *, wgint)" does not free or save its parameter "buffer". wget-1.19.5/src/url.c:2270:7: var_assign: Assigning: "p" = "number_to_string(p, url->port)". wget-1.19.5/src/url.c:2273:3: noescape: Resource "p" is not freed or pointed-to in function "full_path_write". wget-1.19.5/src/url.c:1078:47: noescape: "full_path_write(struct url const *, char *)" does not free or save its parameter "where". wget-1.19.5/src/url.c:2287:3: return_alloc: Returning allocated memory "result". wget-1.19.5/src/http.c:4486: var_assign: Assigning: "hurl" = storage returned from "url_string(u, URL_AUTH_HIDE_PASSWD)". wget-1.19.5/src/http.c:4487: noescape: Resource "hurl" is not freed or pointed-to in "logprintf". wget-1.19.5/src/http.c:4513: leaked_storage: Variable "hurl" going out of scope leaks the storage it points to. \# 4511| { \# 4512| printwhat (count, opt.ntry); \# 4513|-> continue; \# 4514| } \# 4515| else There are two conditional branches, which call continue, without freeing memory potentially allocated and pointed to by"hurl" pointer. In fase "!opt.verbose" is True and some of the appropriate conditions in the following if/else if construction, in which "continue" is called, are also true, then the memory allocated to "hurl" will leak. Signed-off-by: Tomas Hozza --- src/http.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/http.c b/src/http.c index 4e0d467a..46fde6f2 100644 --- a/src/http.c +++ b/src/http.c @@ -4505,6 +4505,7 @@ http_loop (const struct url *u, struct url *original_url, char **newloc, && (hstat.statcode == 500 || hstat.statcode == 501)) { got_head = true; + xfree (hurl); continue; } /* Maybe we should always keep track of broken links, not just in @@ -4523,6 +4524,7 @@ Remote file does not exist -- broken link!!!\n")); else if (check_retry_on_http_error (hstat.statcode)) { printwhat (count, opt.ntry); + xfree (hurl); continue; } else -- 2.17.1