You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2015/11/20 01:41:11 UTC
[jira] [Commented] (TS-3962) CID 1325824: (USE_AFTER_FREE) in
malloc_bulkfree()
[ https://issues.apache.org/jira/browse/TS-3962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014878#comment-15014878 ]
ASF subversion and git services commented on TS-3962:
-----------------------------------------------------
Commit f068e17360addf6d0ea04c16a43a20391d4f0475 in trafficserver's branch refs/heads/6.0.x from [~psudaemon]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=f068e17 ]
TS-3962: Fix Coverity CID #1325824
(cherry picked from commit f9d63a4bf73cc1b84934d2db9010865a2d3fbf2a)
> CID 1325824: (USE_AFTER_FREE) in malloc_bulkfree()
> -----------------------------------------------------
>
> Key: TS-3962
> URL: https://issues.apache.org/jira/browse/TS-3962
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Reporter: Leif Hedstrom
> Assignee: Phil Sorber
> Fix For: 6.0.1
>
>
> {code}
> ** CID 1325824: (USE_AFTER_FREE)
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> ________________________________________________________________________________________________________
> *** CID 1325824: (USE_AFTER_FREE)
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> 384 void *item = head;
> 385
> 386 // Avoid compiler warnings
> 387 (void)tail;
> 388
> 389 if (f->alignment) {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 395 ats_free(item);
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> 388
> 389 if (f->alignment) {
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 395 ats_free(item);
> 396 }
> 397 }
> 398 }
> 399
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> 388
> 389 if (f->alignment) {
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 395 ats_free(item);
> 396 }
> 397 }
> 398 }
> 399
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> 384 void *item = head;
> 385
> 386 // Avoid compiler warnings
> 387 (void)tail;
> 388
> 389 if (f->alignment) {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 395 ats_free(item);
> {code}
> Seems we ought to not use the item in the iterator after we've already free'd it :).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)