[
https://issues.apache.org/jira/browse/TS-3962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14952457#comment-14952457
]
ASF subversion and git services commented on TS-3962:
-----------------------------------------------------
Commit f9d63a4bf73cc1b84934d2db9010865a2d3fbf2a in trafficserver's branch
refs/heads/master from [~psudaemon]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=f9d63a4 ]
TS-3962: Fix Coverity CID #1325824
> CID 1325824: (USE_AFTER_FREE) in malloc_bulkfree()
> -----------------------------------------------------
>
> Key: TS-3962
> URL: https://issues.apache.org/jira/browse/TS-3962
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Reporter: Leif Hedstrom
> Assignee: Phil Sorber
> Fix For: 6.1.0
>
>
> {code}
> ** CID 1325824: (USE_AFTER_FREE)
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *,
> unsigned long)()
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *,
> unsigned long)()
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *,
> unsigned long)()
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *,
> unsigned long)()
> ________________________________________________________________________________________________________
> *** CID 1325824: (USE_AFTER_FREE)
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *,
> unsigned long)()
> 384 void *item = head;
> 385
> 386 // Avoid compiler warnings
> 387 (void)tail;
> 388
> 389 if (f->alignment) {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void
> **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void
> **)item) {
> 395 ats_free(item);
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *,
> unsigned long)()
> 388
> 389 if (f->alignment) {
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void
> **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void
> **)item) {
> 395 ats_free(item);
> 396 }
> 397 }
> 398 }
> 399
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *,
> unsigned long)()
> 388
> 389 if (f->alignment) {
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void
> **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void
> **)item) {
> 395 ats_free(item);
> 396 }
> 397 }
> 398 }
> 399
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *,
> unsigned long)()
> 384 void *item = head;
> 385
> 386 // Avoid compiler warnings
> 387 (void)tail;
> 388
> 389 if (f->alignment) {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void
> **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void
> **)item) {
> 395 ats_free(item);
> {code}
> Seems we ought to not use the item in the iterator after we've already free'd
> it :).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
