Changeset 68307 in vbox for trunk

Timestamp:

Aug 6, 2017 7:04:02 PM (7 years ago)

Author:

vboxsync

Message:

Additions/Solaris/Mouse: try to fix message freeing.

bugref:8953: Solaris Additions/pointer driver: BUG 26414285: DOUBLE-FREE FROM VBOX CODE
Hopefully remove the freemsg() call which was responsible for a double free
reported by the Solaris team, and try to fix some other potential memory
issues as well.

File:

• trunk/src/VBox/Additions/solaris/Mouse/vboxms.c (modified) (4 diffs)

trunk/src/VBox/Additions/solaris/Mouse/vboxms.c

@@ -655 +655 @@
 
             /* We have no one below us to pass the message on to. */
+            freemsg(pMBlk);
             return 0;
         /* M_IOCDATA is additional data attached to (at least) transparent
@@ -1196 +1197 @@
                  (void *)pCopyResp->cp_private));
     if (pCopyResp->cp_rval)  /* cp_rval is a pointer used as a boolean. */
-    {
-        freemsg(pMBlk);
         return EAGAIN;
-    }
     if ((pCopyResp->cp_private && enmDirection == BOTH) || enmDirection == IN)
     {
@@ -1207 +1205 @@
 
         if (!pMBlk->b_cont)
-            return EINVAL;
-        if (enmDirection == BOTH && !pCopyResp->cp_private)
             return EINVAL;
         pvData = pMBlk->b_cont->b_rptr;
@@ -1216 +1212 @@
         else if (!err && enmDirection == IN)
             vbmsSolAcknowledgeIOCtl(pMBlk, 0, 0);
+        if ((err || enmDirection == IN) && pCopyResp->cp_private)
+            freemsg(pCopyResp->cp_private);
         return err;
     }
     else
     {
+        if (pCopyResp->cp_private)
+            freemsg(pCopyResp->cp_private);
         AssertReturn(enmDirection == OUT || enmDirection == BOTH, EINVAL);
         vbmsSolAcknowledgeIOCtl(pMBlk, 0, 0);