espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-10-02 18:10:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix/coverity_issue_483747' into 'master'

Browse Source 
Fix possible double memory free in esp_http_client

Closes IDF-13757, IDF-13758, and IDF-13755

See merge request espressif/esp-idf!40934
This commit is contained in:
Mahavir Jain
2025-08-20 14:29:20 +05:30
parent 65a6e9c294 414397c048
commit 1a615729d5
3 changed files with 31 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
components/esp_driver_usb_serial_jtag/src/usb_serial_jtag_vfs.c
View File

@@ -429,24 +429,38 @@ static esp_err_t unregister_select(usb_serial_jtag_select_args_t *args)
for (int i = 0; i < s_registered_select_num; ++i) {
if (s_registered_selects[i] == args) {
const int new_size = s_registered_select_num - 1;
// The item is removed by overwriting it with the last item. The subsequent rellocation will drop the
// last item.
// Move last element to fill gap (only if not removing the last element)
if (i < new_size) {
s_registered_selects[i] = s_registered_selects[new_size];
}
if (new_size == 0) {
// Free the entire array
free(s_registered_selects);
s_registered_selects = NULL;
s_registered_select_num = 0;
ret = ESP_OK;
} else {
// Shrink the array
usb_serial_jtag_select_args_t **new_selects = heap_caps_realloc(s_registered_selects, new_size * sizeof(usb_serial_jtag_select_args_t *), USJ_VFS_MALLOC_FLAGS);
if (new_selects == NULL && new_size > 0) {
if (new_selects == NULL) {
// Realloc failed - restore moved element
if (i < new_size) {
s_registered_selects[new_size] = s_registered_selects[i];
}
ret = ESP_ERR_NO_MEM;
} else {
// Success - update pointer
s_registered_selects = new_selects;
}
// Shrinking a buffer with realloc is guaranteed to succeed.
s_registered_select_num = new_size;
ret = ESP_OK;
}
}
/* when the last select is unregistered, also unregister the callback */
if (s_registered_select_num == 0) {
usb_serial_jtag_set_select_notif_callback(NULL);
}
ret = ESP_OK;
break;
}
}

1
components/esp_http_client/esp_http_client.c
View File

@@ -350,6 +350,7 @@ static int http_on_body(http_parser *parser, const char *at, size_t length)
ESP_LOGE(TAG, "Failed to allocate memory for storing decoded data");
free(res_buffer->orig_raw_data);
res_buffer->orig_raw_data = NULL;
res_buffer->raw_data = NULL;
return -1;
}
res_buffer->orig_raw_data = tmp;

20
components/esp_http_client/lib/http_utils.c
View File

@@ -45,16 +45,9 @@ char *http_utils_assign_string(char **str, const char *new_str, int len)
l = strlen(new_str);
}
if (old_str) {
// old_str should not be reallocated directly, as in case of memory exhaustion,
// it will be lost and we will not be able to free it.
char *tmp = realloc(old_str, l + 1);
if (tmp == NULL) {
free(old_str);
old_str = NULL;
old_str = realloc(old_str, l + 1);
ESP_RETURN_ON_FALSE(old_str, NULL, TAG, "Memory exhausted");
}
old_str = tmp;
old_str[l] = 0; // Ensure the new string is null-terminated
old_str[l] = 0;
} else {
old_str = calloc(1, l + 1);
ESP_RETURN_ON_FALSE(old_str, NULL, TAG, "Memory exhausted");
@@ -75,15 +68,8 @@ char *http_utils_append_string(char **str, const char *new_str, int len)
}
if (old_str) {
old_len = strlen(old_str);
// old_str should not be reallocated directly, as in case of memory exhaustion,
// it will be lost and we will not be able to free it.
char *tmp = realloc(old_str, old_len + l + 1);
if (tmp == NULL) {
free(old_str);
old_str = NULL;
old_str = realloc(old_str, old_len + l + 1);
ESP_RETURN_ON_FALSE(old_str, NULL, TAG, "Memory exhausted");
}
old_str = tmp;
// Ensure the new string is null-terminated
old_str[old_len + l] = 0;
} else {