Fix memory leak (start enum)

Enumeration loop added for object corruption. Add missing free because of tee_svc_storage_set_enum obj_id memory allocation (malloc) during enumeration loop. Force obj_id to NULL in the enumation loop to skip freeing at 'exit' label statement. closes OP-TEE#494 Signed-off-by: Cedric Chaumont <cedric.chaumont@st.com> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Pascal Brand <pascal.brand@linaro.org> Tested-by: Cedric Chaumont <cedric.chaumont@linaro.org> (STM boards)
cedric-chaumont-st-dev · Oct 13, 2015 · 4a893a4 · 4a893a4
1 parent 13c163a
commit 4a893a4
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/core/tee/tee_svc_storage.c b/core/tee/tee_svc_storage.c
@@ -910,7 +910,7 @@ static TEE_Result tee_svc_storage_set_enum(char *d_name, struct tee_obj *o)
 	hslen = strlen(d_name);
 	blen = TEE_HS2B_BBUF_SIZE(hslen);
 	o->pobj->obj_id = malloc(blen);
-	if (o->pobj->obj_id == NULL) {
+	if (!o->pobj->obj_id) {
 		res = TEE_ERROR_OUT_OF_MEMORY;
 		goto exit;
 	}
@@ -971,15 +971,21 @@ TEE_Result tee_svc_storage_start_enum(uint32_t obj_enum, uint32_t storage_id)
 		goto exit;
 	}
 
+	/* object enumeration loop */
 	do {
 		d = tee_file_ops.readdir(e->dir);
 		if (d) {
+			/* allocate obj_id and set object */
 			res = tee_svc_storage_set_enum(d->d_name, o);
 			if (res != TEE_SUCCESS)
 				goto exit;
 			res = tee_obj_verify(sess, o);
 			if (res != TEE_SUCCESS)
 				goto exit;
+			/* free obj_id for each iteration */
+			free(o->pobj->obj_id);
+			/* force obj_id to skip freeing at exit statement */
+			o->pobj->obj_id = NULL;
 		}
 	} while (d);