slirp: Convert mbufs to use g_malloc() and g_free()

The mbuf code currently doesn't check the result of doing a malloc()
or realloc() of its data (spotted by Coverity, CID 1238946).
Since the m_inc() API assumes that extending an mbuf must succeed,
just convert to g_malloc() and g_free().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 7eddc217e4394a0186589e1026145fd2d3dbd6d0..5ff24559fd4a2308fcb71283df9311c36ff733c4 100644 (file)
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -10,7 +10,7 @@
  * FreeBSD.  They are fixed size, determined by the MTU,
  * so that one whole packet can fit.  Mbuf's cannot be
  * chained together.  If there's more data than the mbuf
- * could hold, an external malloced buffer is pointed to
+ * could hold, an external g_malloced buffer is pointed to
  * by m_ext (and the data pointers) and M_EXT is set in
  * the flags
  */
@@ -41,26 +41,26 @@ void m_cleanup(Slirp *slirp)
     while ((struct quehead *) m != &slirp->m_usedlist) {
         next = m->m_next;
         if (m->m_flags & M_EXT) {
-            free(m->m_ext);
+            g_free(m->m_ext);
         }
-        free(m);
+        g_free(m);
         m = next;
     }
     m = (struct mbuf *) slirp->m_freelist.qh_link;
     while ((struct quehead *) m != &slirp->m_freelist) {
         next = m->m_next;
-        free(m);
+        g_free(m);
         m = next;
     }
 }
 
 /*
  * Get an mbuf from the free list, if there are none
- * malloc one
+ * allocate one
  *
  * Because fragmentation can occur if we alloc new mbufs and
  * free old mbufs, we mark all mbufs above mbuf_thresh as M_DOFREE,
- * which tells m_free to actually free() it
+ * which tells m_free to actually g_free() it
  */
 struct mbuf *
 m_get(Slirp *slirp)
@@ -71,8 +71,7 @@ m_get(Slirp *slirp)
        DEBUG_CALL("m_get");
 
        if (slirp->m_freelist.qh_link == &slirp->m_freelist) {
-               m = (struct mbuf *)malloc(SLIRP_MSIZE);
-               if (m == NULL) goto end_error;
+                m = g_malloc(SLIRP_MSIZE);
                slirp->mbuf_alloced++;
                if (slirp->mbuf_alloced > MBUF_THRESH)
                        flags = M_DOFREE;
@@ -94,7 +93,6 @@ m_get(Slirp *slirp)
         m->m_prevpkt = NULL;
         m->resolution_requested = false;
         m->expiration_date = (uint64_t)-1;
-end_error:
        DEBUG_ARG("m = %p", m);
        return m;
 }
@@ -112,15 +110,15 @@ m_free(struct mbuf *m)
           remque(m);
 
        /* If it's M_EXT, free() it */
-       if (m->m_flags & M_EXT)
-          free(m->m_ext);
-
+        if (m->m_flags & M_EXT) {
+                g_free(m->m_ext);
+        }
        /*
         * Either free() it or put it on the free list
         */
        if (m->m_flags & M_DOFREE) {
                m->slirp->mbuf_alloced--;
-               free(m);
+                g_free(m);
        } else if ((m->m_flags & M_FREELIST) == 0) {
                insque(m,&m->slirp->m_freelist);
                m->m_flags = M_FREELIST; /* Clobber other flags */
@@ -130,7 +128,7 @@ m_free(struct mbuf *m)
 
 /*
  * Copy data from one mbuf to the end of
- * the other.. if result is too big for one mbuf, malloc()
+ * the other.. if result is too big for one mbuf, allocate
  * an M_EXT data segment
  */
 void
@@ -160,12 +158,12 @@ m_inc(struct mbuf *m, int size)
 
         if (m->m_flags & M_EXT) {
          datasize = m->m_data - m->m_ext;
-         m->m_ext = (char *)realloc(m->m_ext,size);
+          m->m_ext = g_realloc(m->m_ext, size);
          m->m_data = m->m_ext + datasize;
         } else {
          char *dat;
          datasize = m->m_data - m->m_dat;
-         dat = (char *)malloc(size);
+          dat = g_malloc(size);
          memcpy(dat, m->m_dat, m->m_size);
 
          m->m_ext = dat;