From 23b17be25d0f3d27a298b1b62addbdb63b2a2ff5 Mon Sep 17 00:00:00 2001 From: David Korczynski Date: Mon, 24 Jul 2023 10:40:42 -0700 Subject: [PATCH] decode: prometheus: fix to avoid freeing non-malloced data The fuzzer in https://github.com/fluent/fluent-bit/pull/7745 found a bug that shows the prometheus decoder is sometimes freeing data that is not malloced. This is an attempt to fix that. Signed-off-by: David Korczynski --- src/cmt_decode_prometheus.c | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/src/cmt_decode_prometheus.c b/src/cmt_decode_prometheus.c index e33a9ef..84fbf51 100644 --- a/src/cmt_decode_prometheus.c +++ b/src/cmt_decode_prometheus.c @@ -57,14 +57,8 @@ static void reset_context(struct cmt_decode_prometheus_context *context, } if (context->metric.ns) { - if (strcmp(context->metric.ns, "")) { - /* when namespace is empty, "name" contains a pointer to the - * allocated string */ - free(context->metric.ns); - } - else { - free(context->metric.name); - } + free(context->metric.ns); + free(context->metric.name); } cfl_sds_destroy(context->strbuf); @@ -166,20 +160,21 @@ static int split_metric_name(struct cmt_decode_prometheus_context *context, } *subsystem = strchr(*ns, '_'); if (!(*subsystem)) { - *name = *ns; - *ns = ""; + *name = strdup(*ns); + free(*ns); + *ns = strdup(""); } else { **subsystem = 0; /* split */ (*subsystem)++; *name = strchr(*subsystem, '_'); if (!(*name)) { - *name = *subsystem; + *name = strdup(*subsystem); *subsystem = ""; } else { - **name = 0; - (*name)++; + **name = '\0'; + *name = strdup((*name)++); } } return 0; @@ -1157,4 +1152,4 @@ static int cmt_decode_prometheus_error(void *yyscanner, { report_error(context, CMT_DECODE_PROMETHEUS_SYNTAX_ERROR, msg); return 0; -} +} \ No newline at end of file