VirtualBox

Custom Query (16363 matches)

Filters
 
Or
 
  
 
Columns

Show under each result:


Results (757 - 759 of 16363)

Ticket Resolution Summary Owner Reporter
#16836 fixed sf_unlink_aux: potential null pointer dereference on dentry ColinIanKing
Description

Function sf_unlink_aux() in vboxsf/dirops.c performs a dereference on dentry with the following call:

    err = sf_path_from_dentry(__func__, sf_g, sf_i, dentry, &path);

However, a few statements later dentry is being checked to see if it is a NULL pointer:

    if (   dentry
        && dentry->d_inode
        && ((dentry->d_inode->i_mode & S_IFLNK) == S_IFLNK))
        fFlags |= SHFL_REMOVE_SYMLINK;

Either that null pointer check is redundant or it dentry really could be NULL, in which case the earlier call to sf_path_from_dentry with a null dentry can trip a null pointer deference bug on dentry.

Anyhow, the current code looks suspect and should be fixed.

#16837 invalid sf_path_from_dentry: null pointer deference on failed kmalloc allocation ColinIanKing
Description

Function sf_path_from_dentry in src/VBox/Additions/linux/sharedfolders/utils.c is allocating a buffer using kmalloc but it does not check if the allocation failed:

        out_bound_len = PATH_MAX;
        out = kmalloc(out_bound_len, GFP_KERNEL);
        name = out;

..and later it is dereferenced leading to a potential NULL pointer dereference crash.

        LogFunc(("result(%d) = %.*s\n", len, len, name));
        *out = 0;

I suggest that the kmalloc failure case needs to be handled correctly.

#16838 fixed sf_glob_alloc: memory leak on str_name ColinIanKing
Description

Function sf_glob_alloc() in src/VBox/Additions/linux/sharedfolders/vfsmod.c allocates a buffer for str_name and leaks this information. The leak occurs on the check:

    /* Check if NLS charset is valid and not points to UTF8 table */
    if (info->nls_name[0])
    {
        if (_IS_UTF8(info->nls_name))
            sf_g->nls = NULL;
        else
        {
            sf_g->nls = load_nls(info->nls_name);
            if (!sf_g->nls)
            {
                err = -EINVAL;
                LogFunc(("failed to load nls %s\n", info->nls_name));
                goto fail1;
            }
        }
    }

..the failed to load nls error exit path jumps to fail1 which does not free str_name, which looks like a memory leak to me.

Batch Modify
Note: See TracBatchModify for help on using batch modify.
Note: See TracQuery for help on using queries.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy