[Pkg-libvirt-commits] [libguestfs] 123/146: daemon: readdir: fix invalid memory access on error
Hilko Bengen
bengen at moszumanska.debian.org
Sun Mar 29 17:01:18 UTC 2015
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch master
in repository libguestfs.
commit d2b88cacd9d4218d5753a0001aeb41ecca5299bc
Author: Pino Toscano <ptoscano at redhat.com>
Date: Tue Jan 20 14:09:36 2015 +0100
daemon: readdir: fix invalid memory access on error
If "strdup (d->d_name)" fails with "i" > 0, then both "p" and
"ret->guestfs_int_dirent_list_val" are non-null pointers, but the latter
is no more valid (since "p" is the new realloc'ed buffer). Hence, trying
to free both will access to invalid memory.
Make sure to free only one of them, "p" if not null or
"ret->guestfs_int_dirent_list_val" otherwise.
(cherry picked from commit 7618e41d33e731f6392d783510705492cbf82eef)
---
daemon/readdir.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/daemon/readdir.c b/daemon/readdir.c
index f0ddd21..e488f93 100644
--- a/daemon/readdir.c
+++ b/daemon/readdir.c
@@ -27,6 +27,17 @@
#include "daemon.h"
#include "actions.h"
+static void
+free_int_dirent_list (guestfs_int_dirent *p, size_t len)
+{
+ size_t i;
+
+ for (i = 0; i < len; ++i) {
+ free (p[i].name);
+ }
+ free (p);
+}
+
guestfs_int_dirent_list *
do_readdir (const char *path)
{
@@ -64,8 +75,11 @@ do_readdir (const char *path)
v.name = strdup (d->d_name);
if (!p || !v.name) {
reply_with_perror ("allocate");
- free (ret->guestfs_int_dirent_list_val);
- free (p);
+ if (p) {
+ free_int_dirent_list (p, i);
+ } else {
+ free_int_dirent_list (ret->guestfs_int_dirent_list_val, i);
+ }
free (v.name);
free (ret);
closedir (dir);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libguestfs.git
More information about the Pkg-libvirt-commits
mailing list