bugfix: fix various resource leaks (#6367)

Fix memory and descriptor leaks. Signed-off-by: Ilya Pankratov <i.pankratov.main@gmail.com>
2026-05-21 06:45:29 -06:00 · 2024-06-05 20:16:01 +03:00 · 2024-06-05 20:16:01 +03:00 · 03ea436e1c
commit 03ea436e1c
parent 53ad8d7912
11 changed files with 29 additions and 4 deletions
--- a/src/fids/main.c
+++ b/src/fids/main.c
@ -106,9 +106,9 @@ static void file_checksum(const char *fname) {
 	}
 	else {
 		content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
-		close(fd);
 		mmapped = 1;
 	}
+	close(fd);

 	unsigned char checksum[KEY_SIZE / 8];
 	blake2b(checksum, sizeof(checksum), content, size);
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@ -300,6 +300,7 @@ void fix_desktop_files(const char *homedir) {

 		if (stat(outname, &sb) == 0) {
 			printf("   %s skipped: file exists\n", filename);
+			free(outname);
 			if (change_exec)
 				free(change_exec);
 			continue;
@ -308,6 +309,7 @@ void fix_desktop_files(const char *homedir) {
 		FILE *fpin = fopen(filename, "r");
 		if (!fpin) {
 			fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
+			free(outname);
 			if (change_exec)
 				free(change_exec);
 			continue;
@ -317,6 +319,7 @@ void fix_desktop_files(const char *homedir) {
 		if (!fpout) {
 			fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname);
 			fclose(fpin);
+			free(outname);
 			if (change_exec)
 				free(change_exec);
 			continue;
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@ -198,6 +198,8 @@ static void read_bandwidth_file(pid_t pid) {

 		fclose(fp);
 	}
+
+	free(fname);
 }

 static void write_bandwidth_file(pid_t pid) {
@ -217,6 +219,7 @@ static void write_bandwidth_file(pid_t pid) {
 			ptr = ptr->next;
 		}
 		fclose(fp);
+		free(fname);
 	}
 	else
 		goto errout;
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@ -67,8 +67,10 @@ static void skel(const char *homedir) {
 		if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
 			errExit("asprintf");
 		// don't copy it if we already have the file
-		if (access(fname, F_OK) == 0)
+		if (access(fname, F_OK) == 0) {
+			free(fname);
 			return;
+		}
 		if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
 			fprintf(stderr, "Error: invalid %s file\n", fname);
 			exit(1);
@ -91,8 +93,10 @@ static void skel(const char *homedir) {
 		if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
 			errExit("asprintf");
 		// don't copy it if we already have the file
-		if (access(fname, F_OK) == 0)
+		if (access(fname, F_OK) == 0) {
+			free(fname);
 			return;
+		}
 		if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
 			fprintf(stderr, "Error: invalid %s file\n", fname);
 			exit(1);
@ -115,8 +119,10 @@ static void skel(const char *homedir) {
 		if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
 			errExit("asprintf");
 		// don't copy it if we already have the file
-		if (access(fname, F_OK) == 0)
+		if (access(fname, F_OK) == 0) {
+			free(fname);
 			return;
+		}
 		if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
 			fprintf(stderr, "Error: invalid %s file\n", fname);
 			exit(1);
--- a/src/firejail/ids.c
+++ b/src/firejail/ids.c
@ -42,6 +42,7 @@ static void ids_init(void) {
 	if (dup(fd) != STDOUT_FILENO)
 		errExit("dup");
 	close(fd);
+	free(fname);

 	sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir);
 }
@ -63,6 +64,7 @@ static void ids_check(void) {
 	if (dup(fd) != STDIN_FILENO)
 		errExit("dup");
 	close(fd);
+	free(fname);

 	sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir);
 }
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@ -122,6 +122,7 @@ void set_name_run_file(pid_t pid) {
 	// mode and ownership
 	SET_PERMS_STREAM(fp, 0, 0, 0644);
 	fclose(fp);
+	free(fname);
 }


@ -141,6 +142,7 @@ void set_x11_run_file(pid_t pid, int display) {
 	// mode and ownership
 	SET_PERMS_STREAM(fp, 0, 0, 0644);
 	fclose(fp);
+	free(fname);
 }

 void set_profile_run_file(pid_t pid, const char *fname) {
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@ -1392,6 +1392,7 @@ void enter_network_namespace(pid_t pid) {
 		fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
 		exit(1);
 	}
+	free(name);

 	// join the namespace
 	EUID_ROOT();
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@ -152,10 +152,12 @@ static void print_proc(int index, int itv, int col) {
 	struct stat s;
 	if (stat(name, &s) == -1) {
 		// the sandbox doesn't have a --net= option, don't print
+		free(name);
 		if (cmd)
 			free(cmd);
 		return;
 	}
+	free(name);

 	// pid
 	char pidstr[11];
--- a/src/jailcheck/access.c
+++ b/src/jailcheck/access.c
@ -80,10 +80,13 @@ void access_setup(const char *directory) {
 	FILE *fp = fopen(test_file, "w");
 	if (!fp) {
 		printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+		free(test_file);
+		free(path);
 		return;
 	}
 	fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
 	fclose(fp);
+	free(path);
 	int rv = chown(test_file, user_uid, user_gid);
 	if (rv)
 		errExit("chown");
--- a/src/jailcheck/noexec.c
+++ b/src/jailcheck/noexec.c
@ -55,6 +55,7 @@ void noexec_setup(void) {
 			execfile_len = s.st_size;
 			close(fd);
 		}
+		free(self);
 	}
 }

@ -110,4 +111,5 @@ void noexec_test(const char *path) {
 	wait(&status);
 	int rv = unlink(fname);
 	(void) rv;
+	free(fname);
 }
--- a/src/jailcheck/virtual.c
+++ b/src/jailcheck/virtual.c
@ -49,6 +49,7 @@ void virtual_setup(const char *directory) {
 	FILE *fp = fopen(test_file, "w");
 	if (!fp) {
 		printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+		free(test_file);
 		return;
 	}
 	fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");