Bug 75 - convert_string_allocate() frees memory twice
Summary: convert_string_allocate() frees memory twice
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.0preX
Hardware: All All
: P2 critical
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
Depends on:
Reported: 2003-05-08 09:49 UTC by John H Terpstra (mail address dead(
Modified: 2005-02-07 07:54 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description John H Terpstra (mail address dead( 2003-05-08 09:49:13 UTC
~/sources/lib/charcnv.c: Line: 254

        destlen = destlen - o_len;
        *dest = (char *)Realloc(ob,destlen);
        if (!*dest) {
                DEBUG(0, ("convert_string_allocate: out of memory!\n"));
                return (size_t)-1;

Assume destlen == 0
Realloc will free the original pointer, and the !*dest will free it again.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-05-08 13:16:23 UTC
SAFE_FREE() correctly handles NULL pointers so this 
won't cause a crash or memory corruption, but I've added
a check just the same  (if (destlen && !*dest) {} )
Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-05-20 08:19:50 UTC
Elrond gave it the ok.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-02-07 07:54:58 UTC
originally reported against 3.0alpha23.  Bugzilla spring cleaning.