linux-user: do_msgrcv: don't leak host_mb upon TARGET_EFAULT failure

Also, use g_malloc to avoid NULL-deref upon OOM. Signed-off-by: Jim Meyering <meyering@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit 0d07fe47d4986271a21ed4ff5237275ff55dd93f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
author: Jim Meyering <meyering@redhat.com> 2012-08-22 13:55:53 +0200
committer: Michael Roth <mdroth@linux.vnet.ibm.com> 2012-08-28 01:50:02 -0500
commit: df60f451b3eb94305e63f0bb12c9c361a721bc81 (patch)
tree: e99b7d4366c277522154eaddd386f8aae64f0083
parent: 1bc633246105b629b72728b007fd9d414c6038e8 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 20d2a7487..9bf0b28b8 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2794,7 +2794,7 @@ static inline abi_long do_msgrcv(int msqid, abi_long msgp,
     if (!lock_user_struct(VERIFY_WRITE, target_mb, msgp, 0))
         return -TARGET_EFAULT;
 
-    host_mb = malloc(msgsz+sizeof(long));
+    host_mb = g_malloc(msgsz+sizeof(long));
     ret = get_errno(msgrcv(msqid, host_mb, msgsz, tswapal(msgtyp), msgflg));
 
     if (ret > 0) {
@@ -2809,11 +2809,11 @@ static inline abi_long do_msgrcv(int msqid, abi_long msgp,
     }
 
     target_mb->mtype = tswapal(host_mb->mtype);
-    free(host_mb);
 
 end:
     if (target_mb)
         unlock_user_struct(target_mb, msgp, 1);
+    g_free(host_mb);
     return ret;
 }
author	Jim Meyering <meyering@redhat.com>	2012-08-22 13:55:53 +0200
committer	Michael Roth <mdroth@linux.vnet.ibm.com>	2012-08-28 01:50:02 -0500
commit	df60f451b3eb94305e63f0bb12c9c361a721bc81 (patch)
tree	e99b7d4366c277522154eaddd386f8aae64f0083
parent	1bc633246105b629b72728b007fd9d414c6038e8 (diff)