From f0febd73bffd78e080499d87dc03eea7622dd876 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Tue, 2 Jul 2024 15:27:12 +0200 Subject: [PATCH] shared/shell: Free memory allocated by wordexp() Error: RESOURCE_LEAK (CWE-772): [#def38] [important] bluez-5.76/src/shared/shell.c:519:2: alloc_arg: "parse_args" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:523:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 521| "Unable to parse mandatory command arguments: %s", man ); 522| free(man); 523|-> return -EINVAL; 524| } 525| Error: RESOURCE_LEAK (CWE-772): [#def40] [important] bluez-5.76/src/shared/shell.c:1113:3: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1114:4: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1112| 1113| if (wordexp(rl_line_buffer, &w, WRDE_NOCMD)) 1114|-> return NULL; 1115| 1116| matches = menu_completion(default_menu, text, w.we_wordc, Error: RESOURCE_LEAK (CWE-772): [#def42] [important] bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1415:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1413| switch (err) { 1414| case WRDE_BADCHAR: 1415|-> return -EBADMSG; 1416| case WRDE_BADVAL: 1417| case WRDE_SYNTAX: Error: RESOURCE_LEAK (CWE-772): [#def43] [important] bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1418:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1416| case WRDE_BADVAL: 1417| case WRDE_SYNTAX: 1418|-> return -EINVAL; 1419| case WRDE_NOSPACE: 1420| return -ENOMEM; Error: RESOURCE_LEAK (CWE-772): [#def44] [important] bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1420:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1418| return -EINVAL; 1419| case WRDE_NOSPACE: 1420|-> return -ENOMEM; 1421| case WRDE_CMDSUB: 1422| if (wordexp(input, &w, 0)) Error: RESOURCE_LEAK (CWE-772): [#def45] [important] bluez-5.76/src/shared/shell.c:1422:3: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1423:4: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1421| case WRDE_CMDSUB: 1422| if (wordexp(input, &w, 0)) 1423|-> return -ENOEXEC; 1424| break; 1425| }; --- src/shared/shell.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/src/shared/shell.c b/src/shared/shell.c index 73b4c704174a..60d37c9e56a7 100644 --- a/src/shared/shell.c +++ b/src/shared/shell.c @@ -498,13 +498,23 @@ static void shell_print_menu_zsh_complete(void) } } +static int _wordexp(const char *restrict s, wordexp_t *restrict p, int flags) +{ + int ret; + + ret = wordexp(s, p, flags); + if (ret != 0) + wordfree(p); + return ret; +} + static int parse_args(char *arg, wordexp_t *w, char *del, int flags) { char *str; str = strdelimit(arg, del, '"'); - if (wordexp(str, w, flags)) { + if (_wordexp(str, w, flags) != 0) { free(str); return -EINVAL; } @@ -526,6 +536,7 @@ static int cmd_exec(const struct bt_shell_menu_entry *entry, char *man, *opt; int flags = WRDE_NOCMD; bool optargs = false; + size_t saved_wordc = 0; if (argc == 2 && (!memcmp(argv[1], "help", 4) || !memcmp(argv[1], "--help", 6))) { @@ -583,8 +594,10 @@ static int cmd_exec(const struct bt_shell_menu_entry *entry, goto fail; } - flags |= WRDE_APPEND; + flags |= WRDE_APPEND | WRDE_REUSE; opt = strdup(entry->arg + len + 1); + saved_wordc = w.we_wordc; + w.we_wordc = 0; optional: if (parse_args(opt, &w, "[]", flags) < 0) { @@ -598,6 +611,7 @@ optional: free(opt); /* Check if there are too many arguments */ + w.we_wordc += saved_wordc; if (!optargs && ((unsigned int) argc - 1 > w.we_wordc && !w.we_offs)) { print_text(COLOR_HIGHLIGHT, "Too many arguments: %d > %zu", argc - 1, w.we_wordc); @@ -1089,7 +1103,7 @@ static char **args_completion(const struct bt_shell_menu_entry *entry, int argc, args.we_offs = 0; wordfree(&args); - if (wordexp(str, &args, WRDE_NOCMD)) + if (_wordexp(str, &args, WRDE_NOCMD)) goto done; rl_completion_display_matches_hook = NULL; @@ -1161,7 +1175,7 @@ static char **shell_completion(const char *text, int start, int end) if (start > 0) { wordexp_t w; - if (wordexp(rl_line_buffer, &w, WRDE_NOCMD)) + if (_wordexp(rl_line_buffer, &w, WRDE_NOCMD)) return NULL; matches = menu_completion(default_menu, text, w.we_wordc, @@ -1464,7 +1478,7 @@ int bt_shell_exec(const char *input) if (data.monitor) bt_log_printf(0xffff, data.name, LOG_INFO, "%s", input); - err = wordexp(input, &w, WRDE_NOCMD); + err = _wordexp(input, &w, WRDE_NOCMD); switch (err) { case WRDE_BADCHAR: return -EBADMSG; @@ -1474,7 +1488,7 @@ int bt_shell_exec(const char *input) case WRDE_NOSPACE: return -ENOMEM; case WRDE_CMDSUB: - if (wordexp(input, &w, 0)) + if (_wordexp(input, &w, 0)) return -ENOEXEC; break; }; -- 2.48.1