[Pkg-libvirt-commits] [libguestfs] 175/384: daemon: readdir: fix invalid memory access on error

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to branch experimental
in repository libguestfs.

commit 7618e41d33e731f6392d783510705492cbf82eef
Author: Pino Toscano <ptoscano at redhat.com>
Date:   Tue Jan 20 14:09:36 2015 +0100

    daemon: readdir: fix invalid memory access on error
    
    If "strdup (d->d_name)" fails with "i" > 0, then both "p" and
    "ret->guestfs_int_dirent_list_val" are non-null pointers, but the latter
    is no more valid (since "p" is the new realloc'ed buffer). Hence, trying
    to free both will access to invalid memory.
    
    Make sure to free only one of them, "p" if not null or
    "ret->guestfs_int_dirent_list_val" otherwise.
---
 daemon/readdir.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/daemon/readdir.c b/daemon/readdir.c
index f0ddd21..e488f93 100644
--- a/daemon/readdir.c
+++ b/daemon/readdir.c
@@ -27,6 +27,17 @@
 #include "daemon.h"
 #include "actions.h"
 
+static void
+free_int_dirent_list (guestfs_int_dirent *p, size_t len)
+{
+  size_t i;
+
+  for (i = 0; i < len; ++i) {
+    free (p[i].name);
+  }
+  free (p);
+}
+
 guestfs_int_dirent_list *
 do_readdir (const char *path)
 {
@@ -64,8 +75,11 @@ do_readdir (const char *path)
     v.name = strdup (d->d_name);
     if (!p || !v.name) {
       reply_with_perror ("allocate");
-      free (ret->guestfs_int_dirent_list_val);
-      free (p);
+      if (p) {
+        free_int_dirent_list (p, i);
+      } else {
+        free_int_dirent_list (ret->guestfs_int_dirent_list_val, i);
+      }
       free (v.name);
       free (ret);
       closedir (dir);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libguestfs.git