Fix resource leaks and a typo

Ilya Pankratov · Ilya Pankratov · commit 46aaf00d2df0 · 2024-06-03T09:27:06.000+03:00
Signed-off-by: Ilya Pankratov &lt;i.pankratov@omp.ru&gt;
diff --git a/src/fids/main.c b/src/fids/main.c
@@ -106,9 +106,9 @@ static void file_checksum(const char *fname) {
 	}
 	else {
 		content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
-		close(fd);
 		mmapped = 1;
 	}
+	close(fd);
 
 	unsigned char checksum[KEY_SIZE / 8];
 	blake2b(checksum, sizeof(checksum), content, size);
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
@@ -302,6 +302,7 @@ void fix_desktop_files(const char *homedir) {
 			printf("   %s skipped: file exists\n", filename);
 			if (change_exec)
 				free(change_exec);
+			free(outname);
 			continue;
 		}
 
@@ -310,6 +311,7 @@ void fix_desktop_files(const char *homedir) {
 			fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
 			if (change_exec)
 				free(change_exec);
+			free(outname);
 			continue;
 		}
 
@@ -319,6 +321,7 @@ void fix_desktop_files(const char *homedir) {
 			fclose(fpin);
 			if (change_exec)
 				free(change_exec);
+			free(outname);
 			continue;
 		}
 		fprintf(fpout, "# converted by firecfg\n");
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
@@ -198,6 +198,7 @@ static void read_bandwidth_file(pid_t pid) {
 
 		fclose(fp);
 	}
+	free(fname);
 }
 
 static void write_bandwidth_file(pid_t pid) {
@@ -217,6 +218,7 @@ static void write_bandwidth_file(pid_t pid) {
 			ptr = ptr->next;
 		}
 		fclose(fp);
+		free(fname);
 	}
 	else
 		goto errout;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
@@ -293,6 +293,7 @@ void fs_blacklist(void) {
 	while (entry) {
 		OPERATION op = OPERATION_MAX;
 		char *ptr;
+		int free_macros = 0;
 
 		// whitelist commands handled by fs_whitelist()
 		if (strncmp(entry->data, "whitelist ", 10) == 0 ||
@@ -359,6 +360,7 @@ void fs_blacklist(void) {
 				if (!enames)
 					errExit("calloc");
 				enames[0] = expand_macros(entry->data + 12);
+				free_macros = 1;
 				assert(enames[1] == 0);
 			}
 
@@ -372,6 +374,9 @@ void fs_blacklist(void) {
 				noblacklist[noblacklist_c++] = enames[i];
 			}
 
+			if (free_macros) {
+				free(enames[0]);
+			}
 			free(enames);
 
 			entry = entry->next;
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
@@ -67,8 +67,10 @@ static void skel(const char *homedir) {
 		if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
 			errExit("asprintf");
 		// don't copy it if we already have the file
-		if (access(fname, F_OK) == 0)
+		if (access(fname, F_OK) == 0) {
+			free(fname);
 			return;
+		}
 		if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
 			fprintf(stderr, "Error: invalid %s file\n", fname);
 			exit(1);
@@ -91,8 +93,10 @@ static void skel(const char *homedir) {
 		if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
 			errExit("asprintf");
 		// don't copy it if we already have the file
-		if (access(fname, F_OK) == 0)
+		if (access(fname, F_OK) == 0) {
+			free(fname);
 			return;
+		}
 		if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
 			fprintf(stderr, "Error: invalid %s file\n", fname);
 			exit(1);
@@ -115,8 +119,10 @@ static void skel(const char *homedir) {
 		if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
 			errExit("asprintf");
 		// don't copy it if we already have the file
-		if (access(fname, F_OK) == 0)
+		if (access(fname, F_OK) == 0) {
+			free(fname);
 			return;
+		}
 		if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
 			fprintf(stderr, "Error: invalid %s file\n", fname);
 			exit(1);
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
@@ -42,6 +42,7 @@ static void ids_init(void) {
 	if (dup(fd) != STDOUT_FILENO)
 		errExit("dup");
 	close(fd);
+	free(fname);
 
 	sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir);
 }
@@ -63,6 +64,7 @@ static void ids_check(void) {
 	if (dup(fd) != STDIN_FILENO)
 		errExit("dup");
 	close(fd);
+	free(fname);
 
 	sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir);
 }
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
@@ -122,6 +122,7 @@ void set_name_run_file(pid_t pid) {
 	// mode and ownership
 	SET_PERMS_STREAM(fp, 0, 0, 0644);
 	fclose(fp);
+	free(fname);
 }
 
 
@@ -141,6 +142,7 @@ void set_x11_run_file(pid_t pid, int display) {
 	// mode and ownership
 	SET_PERMS_STREAM(fp, 0, 0, 0644);
 	fclose(fp);
+	free(fname);
 }
 
 void set_profile_run_file(pid_t pid, const char *fname) {
diff --git a/src/firejail/util.c b/src/firejail/util.c
@@ -1392,6 +1392,7 @@ void enter_network_namespace(pid_t pid) {
 		fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
 		exit(1);
 	}
+	free(name);
 
 	// join the namespace
 	EUID_ROOT();
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
@@ -154,6 +154,7 @@ static void print_proc(int index, int itv, int col) {
 		// the sandbox doesn't have a --net= option, don't print
 		if (cmd)
 			free(cmd);
+		free(name);
 		return;
 	}
 
@@ -189,7 +190,7 @@ static void print_proc(int index, int itv, int col) {
 		free(cmd);
 	if (user)
 		free(user);
-
+	free(name);
 }
 
 void netstats(void) {
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c
@@ -80,10 +80,13 @@ void access_setup(const char *directory) {
 	FILE *fp = fopen(test_file, "w");
 	if (!fp) {
 		printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+		free(path);
+		free(test_file);
 		return;
 	}
 	fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
 	fclose(fp);
+	free(path);
 	int rv = chown(test_file, user_uid, user_gid);
 	if (rv)
 		errExit("chown");
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
@@ -55,6 +55,7 @@ void noexec_setup(void) {
 			execfile_len = s.st_size;
 			close(fd);
 		}
+		free(self);
 	}
 }
 
@@ -109,5 +110,6 @@ void noexec_test(const char *path) {
 	int status;
 	wait(&status);
 	int rv = unlink(fname);
+	free(fname);
 	(void) rv;
 }
diff --git a/src/jailcheck/virtual.c b/src/jailcheck/virtual.c
@@ -49,6 +49,7 @@ void virtual_setup(const char *directory) {
 	FILE *fp = fopen(test_file, "w");
 	if (!fp) {
 		printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+		free(test_file);
 		return;
 	}
 	fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
diff --git a/src/profstats/main.c b/src/profstats/main.c
@@ -344,7 +344,7 @@ int main(int argc, char **argv) {
 		if (cnt_seccomp > (seccomp + 1))
 			cnt_seccomp = seccomp + 1;
 		if (cnt_restrict_namespaces > (restrict_namespaces + 1))
-			cnt_seccomp = restrict_namespaces + 1;
+			cnt_restrict_namespaces = restrict_namespaces + 1;
 		if (cnt_dbus_user_none > (dbususernone + 1))
 			cnt_dbus_user_none = dbususernone + 1;
 		if (cnt_dbus_user_filter > (dbususerfilter + 1))

Original file line number	Diff line number	Diff line change
`@@ -106,9 +106,9 @@ static void file_checksum(const char *fname) {`
`106`	`106`	`}`
`107`	`107`	`else {`
`108`	`108`	`content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);`
`109`		`- close(fd);`
`110`	`109`	`mmapped = 1;`
`111`	`110`	`}`
	`111`	`+ close(fd);`
`112`	`112`
`113`	`113`	`unsigned char checksum[KEY_SIZE / 8];`
`114`	`114`	`blake2b(checksum, sizeof(checksum), content, size);`
Original file line number	Diff line number	Diff line change
`@@ -198,6 +198,7 @@ static void read_bandwidth_file(pid_t pid) {`
`198`	`198`
`199`	`199`	`fclose(fp);`
`200`	`200`	`}`
	`201`	`+ free(fname);`
`201`	`202`	`}`
`202`	`203`
`203`	`204`	`static void write_bandwidth_file(pid_t pid) {`
`@@ -217,6 +218,7 @@ static void write_bandwidth_file(pid_t pid) {`
`217`	`218`	`ptr = ptr->next;`
`218`	`219`	`}`
`219`	`220`	`fclose(fp);`
	`221`	`+ free(fname);`
`220`	`222`	`}`
`221`	`223`	`else`
`222`	`224`	`goto errout;`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ static void ids_init(void) {`
`42`	`42`	`if (dup(fd) != STDOUT_FILENO)`
`43`	`43`	`errExit("dup");`
`44`	`44`	`close(fd);`
	`45`	`+ free(fname);`
`45`	`46`
`46`	`47`	`sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir);`
`47`	`48`	`}`
`@@ -63,6 +64,7 @@ static void ids_check(void) {`
`63`	`64`	`if (dup(fd) != STDIN_FILENO)`
`64`	`65`	`errExit("dup");`
`65`	`66`	`close(fd);`
	`67`	`+ free(fname);`
`66`	`68`
`67`	`69`	`sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP\| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir);`
`68`	`70`	`}`
Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,7 @@ void set_name_run_file(pid_t pid) {`
`122`	`122`	`// mode and ownership`
`123`	`123`	`SET_PERMS_STREAM(fp, 0, 0, 0644);`
`124`	`124`	`fclose(fp);`
	`125`	`+ free(fname);`
`125`	`126`	`}`
`126`	`127`
`127`	`128`
`@@ -141,6 +142,7 @@ void set_x11_run_file(pid_t pid, int display) {`
`141`	`142`	`// mode and ownership`
`142`	`143`	`SET_PERMS_STREAM(fp, 0, 0, 0644);`
`143`	`144`	`fclose(fp);`
	`145`	`+ free(fname);`
`144`	`146`	`}`
`145`	`147`
`146`	`148`	`void set_profile_run_file(pid_t pid, const char *fname) {`
Original file line number	Diff line number	Diff line change
`@@ -1392,6 +1392,7 @@ void enter_network_namespace(pid_t pid) {`
`1392`	`1392`	`fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");`
`1393`	`1393`	`exit(1);`
`1394`	`1394`	`}`
	`1395`	`+ free(name);`
`1395`	`1396`
`1396`	`1397`	`// join the namespace`
`1397`	`1398`	`EUID_ROOT();`
Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,7 @@ static void print_proc(int index, int itv, int col) {`
`154`	`154`	`// the sandbox doesn't have a --net= option, don't print`
`155`	`155`	`if (cmd)`
`156`	`156`	`free(cmd);`
	`157`	`+ free(name);`
`157`	`158`	`return;`
`158`	`159`	`}`
`159`	`160`
`@@ -189,7 +190,7 @@ static void print_proc(int index, int itv, int col) {`
`189`	`190`	`free(cmd);`
`190`	`191`	`if (user)`
`191`	`192`	`free(user);`
`192`		`-`
	`193`	`+ free(name);`
`193`	`194`	`}`
`194`	`195`
`195`	`196`	`void netstats(void) {`
Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,7 @@ void noexec_setup(void) {`
`55`	`55`	`execfile_len = s.st_size;`
`56`	`56`	`close(fd);`
`57`	`57`	`}`
	`58`	`+ free(self);`
`58`	`59`	`}`
`59`	`60`	`}`
`60`	`61`
`@@ -109,5 +110,6 @@ void noexec_test(const char *path) {`
`109`	`110`	`int status;`
`110`	`111`	`wait(&status);`
`111`	`112`	`int rv = unlink(fname);`
	`113`	`+ free(fname);`
`112`	`114`	`(void) rv;`
`113`	`115`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ void virtual_setup(const char *directory) {`
`49`	`49`	`FILE *fp = fopen(test_file, "w");`
`50`	`50`	`if (!fp) {`
`51`	`51`	`printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);`
	`52`	`+ free(test_file);`
`52`	`53`	`return;`
`53`	`54`	`}`
`54`	`55`	`fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");`