Potential memory leak in sFlow API

From: Matt Woodley <contactmwoodley@gmail.com>
Date: 10/05/09
Message-ID: <b5c705d70910050952n13aeabd1j2297466f014c29c7@mail.gmail.com>

Hi,

I recently came across a potential memory leak within the Agent code that
can occur when an Agent sets a Poller or Sampler's receiver to Null.

Within the Sflow Api, Pollers and Samplers are maintained as linked lists,
with the head maintained at the Agent. The links are stored as pointers
within the SFLPoller and SFLSampler structs respectively.
This list is used for cleanup when "sfl_agent_release" is called. However,
if during the lifetime of a Poller (or Sampler),
"sfl_poller_set_sFlowCpReceiver" is invoked with a Null receiver, the
behaviour is to memset the current Poller, which resets the "nxt" pointer
which points to the next poller in the linked list, effectively truncating
the list at the current Poller.

Now, when "sfl_agent_release" is called, depending on the order of Pollers,
and who's receivers were set to 0, anywhere from 1 to N Pollers will be
freed. Leaving the rest as leaked memory, assuming the code using the API
has dropped all references as well.

Thanks,

Matt
Received on Mon Oct 5 09:53:06 2009

This archive was generated by hypermail 2.1.8 : 02/17/10 PST