From d9e90499b7ead7e9fae30b9c248b343ec6d9b273 Mon Sep 17 00:00:00 2001 From: Yoichi NAKAYAMA Date: Tue, 19 Jun 2012 19:13:46 +0900 Subject: [PATCH] Fix memory leak and access violation in UpnpSendAction(Ex)Async. Free buffers after malloc or ixmlPrintNode failure. Free Param->Header before destructing Param. --- ChangeLog | 7 +++++++ upnp/src/api/upnpapi.c | 6 +++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index aa33651..904d009 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,13 @@ Version 1.6.18 ******************************************************************************* +2012-06-19 Yoichi NAKAYAMA + + Fix memory leak and access violation in UpnpSendAction(Ex)Async. + + Free buffers after malloc or ixmlPrintNode failure. + Free Param->Header before destructing Param. + 2012-05-25 Anoop Mohan This patch fixes a bug in non blocking connect call where the sock diff --git a/upnp/src/api/upnpapi.c b/upnp/src/api/upnpapi.c index e5196bf..dcc62bb 100644 --- a/upnp/src/api/upnpapi.c +++ b/upnp/src/api/upnpapi.c @@ -2736,6 +2736,7 @@ int UpnpSendActionAsync( malloc( sizeof( struct UpnpNonblockParam ) ); if( Param == NULL ) { + ixmlFreeDOMString( tmpStr ); return UPNP_E_OUTOF_MEMORY; } memset( Param, 0, sizeof( struct UpnpNonblockParam ) ); @@ -2829,6 +2830,7 @@ int UpnpSendActionExAsync( tmpStr = ixmlPrintNode( ( IXML_Node * ) Act ); if( tmpStr == NULL ) { + ixmlFreeDOMString( headerStr ); return UPNP_E_INVALID_ACTION; } @@ -2836,6 +2838,8 @@ int UpnpSendActionExAsync( ( struct UpnpNonblockParam * ) malloc( sizeof( struct UpnpNonblockParam ) ); if( Param == NULL ) { + ixmlFreeDOMString( tmpStr ); + ixmlFreeDOMString( headerStr ); return UPNP_E_OUTOF_MEMORY; } memset( Param, 0, sizeof( struct UpnpNonblockParam ) ); @@ -2859,10 +2863,10 @@ int UpnpSendActionExAsync( retVal = ixmlParseBufferEx( tmpStr, &( Param->Act ) ); if( retVal != IXML_SUCCESS ) { + ixmlDocument_free( Param->Header ); free( Param ); ixmlFreeDOMString( tmpStr ); ixmlFreeDOMString( headerStr ); - ixmlDocument_free( Param->Header ); if( retVal == IXML_INSUFFICIENT_MEMORY ) { return UPNP_E_OUTOF_MEMORY; } else {