Custom Query (16363 matches)
Results (880 - 882 of 16363)
| Ticket | Resolution | Summary | Owner | Reporter |
|---|---|---|---|---|
| #16836 | fixed | sf_unlink_aux: potential null pointer dereference on dentry | ||
| Description |
Function sf_unlink_aux() in vboxsf/dirops.c performs a dereference on dentry with the following call: err = sf_path_from_dentry(__func__, sf_g, sf_i, dentry, &path); However, a few statements later dentry is being checked to see if it is a NULL pointer: if ( dentry
&& dentry->d_inode
&& ((dentry->d_inode->i_mode & S_IFLNK) == S_IFLNK))
fFlags |= SHFL_REMOVE_SYMLINK;
Either that null pointer check is redundant or it dentry really could be NULL, in which case the earlier call to sf_path_from_dentry with a null dentry can trip a null pointer deference bug on dentry. Anyhow, the current code looks suspect and should be fixed. |
|||
| #16837 | invalid | sf_path_from_dentry: null pointer deference on failed kmalloc allocation | ||
| Description |
Function sf_path_from_dentry in src/VBox/Additions/linux/sharedfolders/utils.c is allocating a buffer using kmalloc but it does not check if the allocation failed: out_bound_len = PATH_MAX;
out = kmalloc(out_bound_len, GFP_KERNEL);
name = out;
..and later it is dereferenced leading to a potential NULL pointer dereference crash. LogFunc(("result(%d) = %.*s\n", len, len, name));
*out = 0;
I suggest that the kmalloc failure case needs to be handled correctly. |
|||
| #16838 | fixed | sf_glob_alloc: memory leak on str_name | ||
| Description |
Function sf_glob_alloc() in src/VBox/Additions/linux/sharedfolders/vfsmod.c allocates a buffer for str_name and leaks this information. The leak occurs on the check: /* Check if NLS charset is valid and not points to UTF8 table */
if (info->nls_name[0])
{
if (_IS_UTF8(info->nls_name))
sf_g->nls = NULL;
else
{
sf_g->nls = load_nls(info->nls_name);
if (!sf_g->nls)
{
err = -EINVAL;
LogFunc(("failed to load nls %s\n", info->nls_name));
goto fail1;
}
}
}
..the failed to load nls error exit path jumps to fail1 which does not free str_name, which looks like a memory leak to me. |
|||

