From c1155d296c093590e1c1c39a1a181fb7efdabf7b Mon Sep 17 00:00:00 2001
From: Thomas Markwalder <tmark@isc.org>
Date: Mon, 14 Oct 2019 14:52:31 -0400
Subject: [#9,!11] Fixed reference leaks

common/dns.c
    cache_found_zone() - fixed 1 leaked reference

common/execute.c
    execute_statements() - fixed 3 leaked references

common/options.c
    parse_option_buffer() - fixed 3 leaked references

relay/dhcrelay.c
    process_down6() - fixed 1 leaked reference

server/confpars.c
    parse_statement() - fixed 1 leaked reference

    parse_subnet_declaration() - fixed 1 leaked reference

    parse_subnet6_declaration() - fixed 4 leaked references

server/ddns.c
    ddns_update_lease_ptr() - fixed 1 leaked reference

server/dhcp.c
    dhcpinform() - fixed 2 leaked references
    ack_lease() - fixed 1 leaked reference

server/mdb6.c
    create_lease6() - fixed 2 leaked references
---
 common/dns.c      |  5 +++--
 common/execute.c  | 11 +++++++++--
 common/options.c  |  3 +++
 relay/dhcrelay.c  |  2 +-
 server/confpars.c | 10 +++++++++-
 server/ddns.c     |  5 +++--
 server/dhcp.c     |  3 +++
 server/mdb6.c     |  2 ++
 8 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/common/dns.c b/common/dns.c
index 5b097b69..4250614e 100644
--- a/common/dns.c
+++ b/common/dns.c
@@ -1374,8 +1374,9 @@ void cache_found_zone(dhcp_ddns_ns_t *ns_cb)
 	/* See if there's already such a zone. */
 	if (dns_zone_lookup(&zone, ns_cb->zname) == ISC_R_SUCCESS) {
 		/* If it's not a dynamic zone, leave it alone. */
-		if (zone->timeout == 0)
-			return;
+		if (zone->timeout == 0) {
+			goto cleanup;
+		}
 
 		/* Remove any old addresses in case they've changed */
 		if (zone->primary)
diff --git a/common/execute.c b/common/execute.c
index a33cec85..aad8067d 100644
--- a/common/execute.c
+++ b/common/execute.c
@@ -75,8 +75,10 @@ int execute_statements (result, packet, lease, client_state,
 #if defined (DEBUG_EXPRESSIONS)
 			log_debug ("exec: statements returns %d", status);
 #endif
-			if (!status)
+			if (!status) {
+				executable_statement_dereference (&r, MDL);
 				return 0;
+			}
 			break;
 
 		      case on_statement:
@@ -147,6 +149,8 @@ int execute_statements (result, packet, lease, client_state,
 				       on_star))) {
 					executable_statement_dereference
 						(&e, MDL);
+					executable_statement_dereference
+						(&r, MDL);
 					return 0;
 				}
 				executable_statement_dereference (&e, MDL);
@@ -176,8 +180,10 @@ int execute_statements (result, packet, lease, client_state,
 			    (result, packet, lease, client_state,
 			     in_options, out_options, scope,
 			     rc ? r->data.ie.tc : r->data.ie.fc,
-			     on_star))
+			     on_star)) {
+				executable_statement_dereference (&r, MDL);
 				return 0;
+			}
 			break;
 
 		      case eval_statement:
@@ -298,6 +304,7 @@ int execute_statements (result, packet, lease, client_state,
 #if defined (DEBUG_EXPRESSIONS)
 			log_debug ("exec: break");
 #endif
+			executable_statement_dereference (&r, MDL);
 			return 1;
 
 		      case supersede_option_statement:
diff --git a/common/options.c b/common/options.c
index fc0e0889..543ae5de 100644
--- a/common/options.c
+++ b/common/options.c
@@ -223,6 +223,7 @@ int parse_option_buffer (options, buffer, length, universe)
 				log_error("parse_option_buffer: "
 					  "save_option_buffer failed");
 				buffer_dereference(&bp, MDL);
+				option_dereference(&option, MDL);
 				return (0);
 			}
 		} else if (universe->concat_duplicates) {
@@ -234,6 +235,7 @@ int parse_option_buffer (options, buffer, length, universe)
 					     MDL)) {
 				log_error("parse_option_buffer: No memory.");
 				buffer_dereference(&bp, MDL);
+				option_dereference(&option, MDL);
 				return (0);
 			}
 			/* Copy old option to new data object. */
@@ -258,6 +260,7 @@ int parse_option_buffer (options, buffer, length, universe)
 			if (!option_cache_allocate(&nop, MDL)) {
 				log_error("parse_option_buffer: No memory.");
 				buffer_dereference(&bp, MDL);
+				option_dereference(&option, MDL);
 				return (0);
 			}
 
diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c
index dd8e446d..be30f3dc 100644
--- a/relay/dhcrelay.c
+++ b/relay/dhcrelay.c
@@ -1869,7 +1869,7 @@ process_down6(struct packet *packet) {
 				   &global_scope, oc, MDL) ||
 	    (relay_msg.len < offsetof(struct dhcpv6_packet, options))) {
 		log_error("Can't evaluate relay-msg.");
-		return;
+		goto cleanup;
 	}
 	msg = (const struct dhcpv6_packet *) relay_msg.data;
 
diff --git a/server/confpars.c b/server/confpars.c
index 99fb9a6d..b50d5072 100644
--- a/server/confpars.c
+++ b/server/confpars.c
@@ -775,8 +775,11 @@ int parse_statement (cfile, group, type, host_decl, declaration)
 			et = (struct executable_statement *)0;
 			if (!parse_option_statement
 				(&et, cfile, 1, option,
-				 supersede_option_statement))
+				 supersede_option_statement)) {
+				option_dereference(&option, MDL);
 				return declaration;
+			}
+
 			option_dereference(&option, MDL);
 			goto insert_statement;
 		} else
@@ -2795,6 +2798,7 @@ void parse_subnet_declaration (cfile, share)
 	if (token != NETMASK) {
 		parse_warn (cfile, "Expecting netmask");
 		skip_to_semi (cfile);
+		subnet_dereference (&subnet, MDL);
 		return;
 	}
 
@@ -2898,6 +2902,7 @@ parse_subnet6_declaration(struct parse *cfile, struct shared_network *share) {
 	token = next_token(&val, NULL, cfile);
 	if (token != SLASH) {
 		parse_warn(cfile, "Expecting a '/'.");
+		subnet_dereference(&subnet, MDL);
 		skip_to_semi(cfile);
 		return;
 	}
@@ -2905,6 +2910,7 @@ parse_subnet6_declaration(struct parse *cfile, struct shared_network *share) {
 	token = next_token(&val, NULL, cfile);
 	if (token != NUMBER) {
 		parse_warn(cfile, "Expecting a number.");
+		subnet_dereference(&subnet, MDL);
 		skip_to_semi(cfile);
 		return;
 	}
@@ -2914,12 +2920,14 @@ parse_subnet6_declaration(struct parse *cfile, struct shared_network *share) {
 	    (subnet->prefix_len > 128) || 
 	    (*endp != '\0')) {
 	    	parse_warn(cfile, "Expecting a number between 0 and 128.");
+		subnet_dereference(&subnet, MDL);
 		skip_to_semi(cfile);
 		return;
 	}
 
 	if (!is_cidr_mask_valid(&subnet->net, subnet->prefix_len)) {
 		parse_warn(cfile, "New subnet mask too short.");
+		subnet_dereference(&subnet, MDL);
 		skip_to_semi(cfile);
 		return;
 	}
diff --git a/server/ddns.c b/server/ddns.c
index 1bd72f6b..aecc3d38 100644
--- a/server/ddns.c
+++ b/server/ddns.c
@@ -1285,9 +1285,10 @@ ddns_update_lease_ptr(struct lease    *lease,
 					    file, line);
 #endif
 			/*
-			 * never reached. update_lease_failed
-			 * calls log_fatal.
+			 * not reached when update_lease_failed is called,
+			 * it calls log_fatal.
 			 */
+			ipv6_pool_dereference(&pool, MDL);
 			return(ISC_R_FAILURE);
 		}
 		ipv6_pool_dereference(&pool, MDL);
diff --git a/server/dhcp.c b/server/dhcp.c
index 6d129ec9..0b6e2326 100644
--- a/server/dhcp.c
+++ b/server/dhcp.c
@@ -1193,6 +1193,7 @@ void dhcpinform (packet, ms_nulltp)
 		if (d1.len != 4) {
 			log_info("%s: ignored (invalid subnet selection option).", msgbuf);
 			option_state_dereference(&options, MDL);
+			data_string_forget(&d1, MDL);
 			return;
 		}
 
@@ -1574,6 +1575,7 @@ void dhcpinform (packet, ms_nulltp)
 			option_state_dereference (&options, MDL);
 			if (subnet)
 				subnet_dereference (&subnet, MDL);
+			data_string_forget (&d1, MDL);
 			return;
 		}
 
@@ -3526,6 +3528,7 @@ void ack_lease (packet, lease, offer, when, msg, ms_nulltp, hp)
 					   (const char *)d1.data, d1.len,
 					   MDL)) {
 			log_error ("unknown option space %s.", d1.data);
+			data_string_forget (&d1, MDL);
 			return;
 		}
 
diff --git a/server/mdb6.c b/server/mdb6.c
index 4afb3928..da7baf6e 100644
--- a/server/mdb6.c
+++ b/server/mdb6.c
@@ -1085,9 +1085,11 @@ create_lease6(struct ipv6_pool *pool, struct iasubopt **addr,
 		case D6O_IA_PD:
 			/* prefix */
 			log_error("create_lease6: prefix pool.");
+			data_string_forget(&ds, MDL);
 			return DHCP_R_INVALIDARG;
 		default:
 			log_error("create_lease6: untyped pool.");
+			data_string_forget(&ds, MDL);
 			return DHCP_R_INVALIDARG;
 		}
 
-- 
cgit v1.2.1