fix sandbox memory leak

The memory allocated by AllocAndCopyName was not being freed if the in-process policy engine did not allow the request to query the broker. This was nicely reported by typo.pl@gmail.com TEST=see bug BUG=414039 Review URL: https://codereview.chromium.org/575623004 Cr-Commit-Position: refs/heads/master@{#295220}

fix sandbox memory leak
The memory allocated by AllocAndCopyName was not being freed if the in-process policy engine did not allow the request to query the broker. This was nicely reported by typo.pl@gmail.com TEST=see bug BUG=414039 Review URL: https://codereview.chromium.org/575623004 Cr-Commit-Position: refs/heads/master@{#295220}
6f396e25 · cpu · Commit bot · 7a2b1cb8 · 6f396e25
Commit 6f396e25 authored Sep 16, 2014 by cpu Committed by Commit bot Sep 17, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 11 deletions

sandbox/win/src/filesystem_interception.cc sandbox/win/src/filesystem_interception.cc +20 -11

No files found.
--- a/sandbox/win/src/filesystem_interception.cc
+++ b/sandbox/win/src/filesystem_interception.cc
@@ -35,6 +35,7 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile,
  if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
    return status;

+  wchar_t* name = NULL;
  do {
    if (!ValidParameter(file, sizeof(HANDLE), WRITE))
      break;
@@ -45,7 +46,6 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile,
    if (NULL == memory)
      break;

-    wchar_t* name;
    uint32 attributes = 0;
    NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes,
                                    NULL);
@@ -69,9 +69,6 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile,
    ResultCode code = CrossCall(ipc, IPC_NTCREATEFILE_TAG, name, attributes,
                                desired_access, file_attributes, sharing,
                                disposition, options, &answer);
-
-    operator delete(name, NT_ALLOC);
-
    if (SBOX_ALL_OK != code)
      break;

@@ -88,6 +85,9 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile,
    }
  } while (false);

+  if (name)
+    operator delete(name, NT_ALLOC);
+
  return status;
 }

@@ -106,6 +106,7 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file,
  if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
    return status;

+  wchar_t* name = NULL;
  do {
    if (!ValidParameter(file, sizeof(HANDLE), WRITE))
      break;
@@ -116,7 +117,6 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file,
    if (NULL == memory)
      break;

-    wchar_t* name;
    uint32 attributes;
    NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes,
                                    NULL);
@@ -137,9 +137,6 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file,
    CrossCallReturn answer = {0};
    ResultCode code = CrossCall(ipc, IPC_NTOPENFILE_TAG, name, attributes,
                                desired_access, sharing, options, &answer);
-
-    operator delete(name, NT_ALLOC);
-
    if (SBOX_ALL_OK != code)
      break;

@@ -156,6 +153,9 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file,
    }
  } while (false);

+  if (name)
+    operator delete(name, NT_ALLOC);
+
  return status;
 }

@@ -172,6 +172,7 @@ NTSTATUS WINAPI TargetNtQueryAttributesFile(
  if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
    return status;

+  wchar_t* name = NULL;
  do {
    if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE))
      break;
@@ -180,7 +181,6 @@ NTSTATUS WINAPI TargetNtQueryAttributesFile(
    if (NULL == memory)
      break;

-    wchar_t* name = NULL;
    uint32 attributes = 0;
    NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes,
                                    NULL);
@@ -212,6 +212,9 @@ NTSTATUS WINAPI TargetNtQueryAttributesFile(

  } while (false);

+  if (name)
+    operator delete(name, NT_ALLOC);
+
  return status;
 }

@@ -229,6 +232,7 @@ NTSTATUS WINAPI TargetNtQueryFullAttributesFile(
  if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
    return status;

+  wchar_t* name = NULL;
  do {
    if (!ValidParameter(file_attributes, sizeof(FILE_NETWORK_OPEN_INFORMATION),
                        WRITE))
@@ -238,7 +242,6 @@ NTSTATUS WINAPI TargetNtQueryFullAttributesFile(
    if (NULL == memory)
      break;

-    wchar_t* name = NULL;
    uint32 attributes = 0;
    NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes,
                                    NULL);
@@ -269,6 +272,9 @@ NTSTATUS WINAPI TargetNtQueryFullAttributesFile(
    return answer.nt_status;
  } while (false);

+  if (name)
+    operator delete(name, NT_ALLOC);
+
  return status;
 }

@@ -286,6 +292,7 @@ NTSTATUS WINAPI TargetNtSetInformationFile(
  if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
    return status;

+  wchar_t* name = NULL;
  do {
    void* memory = GetGlobalIPCMemory();
    if (NULL == memory)
@@ -315,7 +322,6 @@ NTSTATUS WINAPI TargetNtSetInformationFile(
      break;
    }

-    wchar_t* name;
    NTSTATUS ret = AllocAndCopyName(&object_attributes, &name, NULL, NULL);
    if (!NT_SUCCESS(ret) || !name)
      break;
@@ -345,6 +351,9 @@ NTSTATUS WINAPI TargetNtSetInformationFile(
    status = answer.nt_status;
  } while (false);

+  if (name)
+    operator delete(name, NT_ALLOC);
+
  return status;
 }