75 – convert_string_allocate() frees memory twice

Bug 75 - convert_string_allocate() frees memory twice

Summary: convert_string_allocate() frees memory twice

Status:	CLOSED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	File Services (show other bugs)
Version:	3.0.0preX
Hardware:	All All

Importance:	P2 critical
Target Milestone:	none
Assignee:	Gerald (Jerry) Carter (dead mail address)
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-05-08 09:49 UTC by John H Terpstra (mail address dead(
Modified:	2005-02-07 07:54 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John H Terpstra (mail address dead( 2003-05-08 09:49:13 UTC

~/sources/lib/charcnv.c: Line: 254

        destlen = destlen - o_len;
        *dest = (char *)Realloc(ob,destlen);
        if (!*dest) {
                DEBUG(0, ("convert_string_allocate: out of memory!\n"));
                SAFE_FREE(ob);
                return (size_t)-1;
        }

Example:
Assume destlen == 0
Realloc will free the original pointer, and the !*dest will free it again.

Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-05-08 13:16:23 UTC

SAFE_FREE() correctly handles NULL pointers so this 
won't cause a crash or memory corruption, but I've added
a check just the same  (if (destlen && !*dest) {} )

Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-05-20 08:19:50 UTC

Elrond gave it the ok.

Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-02-07 07:54:58 UTC

originally reported against 3.0alpha23.  Bugzilla spring cleaning.