CC2530: Potential memory leak in afFindSimpleDesc - ZSTACK3.0.2

Mario DW

Part Number: CC2530

When reading the code I notice that *pDESC is assigned NULL, without setting rtrn to TRUE.

The comment says that rtrn must be true to free the descriptor memory.

Assigning the NULL pointer without returning true looks like a potential memory leak.
I'll let you confirm or not:

/*********************************************************************^M
 * @fn      afFindSimpleDesc^M
 *^M
 * @brief   Find the Simple Descriptor from the endpoint number.^M
 *^M
 * @param   EP - Application Endpoint to look for.^M
 *^M
 * @return  Non-zero to indicate that the descriptor memory must be freed.^M
 */^M
uint8 afFindSimpleDesc( SimpleDescriptionFormat_t **ppDesc, uint8 EP )^M
{^M
  epList_t *epItem = afFindEndPointDescList( EP );^M
  uint8 rtrn = FALSE;^M
^M
  if ( epItem )^M
  {^M
    if ( epItem->pfnDescCB )^M
    {^M
      *ppDesc = epItem->pfnDescCB( AF_DESCRIPTOR_SIMPLE, EP );^M
      rtrn = TRUE;^M
    }^M
    else^M
    {^M
      *ppDesc = epItem->epDesc->simpleDesc;^M
    }^M
  }^M
  else^M
  {^M
    *ppDesc = NULL;^M
  }^M
^M
  return rtrn;^M
}^M

Sorry for the CTRL-M - I am checking the files from a linux -like prompt.

over 5 years ago

0 Ryan Brown1 over 5 years ago

TI__Guru**** 219997 points

Hi Mario,

Here is the description for pDescCB

// Typedef for callback function to retrieve an endpoints
//   descriptors, contained in the endpoint descriptor.
//   This will allow an application to dynamically change
//   the descriptor and not use the RAM/ROM.
typedef void *(*pDescCB)( uint8_t type, uint8_t endpoint );

So only if pfnDescCB exists will the memory need to be freed later in ZDO_ProcessSimpleDescReq (only location where afFindSimpleDesc is referenced), otherwise sDesc is detected as null and a ZDP_NOT_ACTIVE stat is provided for processing in ZDP_SimpleDescMsg.

Regards,
Ryan

Zigbee & Thread

Zigbee & Thread forum

CC2530: Potential memory leak in afFindSimpleDesc - ZSTACK3.0.2