Message ID | 20201207090755.16161-1-l@damenly.su (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | btrfs-progs: cmd-subvolume: set subvol_path to NULL after free | expand |
On Mon, Dec 07, 2020 at 05:07:55PM +0800, Su Yue wrote: > User reported that `btrfs subvolume show -u -- /mnt` causes double free. > > > Pointer subovl_path was freed in iterations but still keeps old value. > In the last iteration, error BTRFS_UTIL_ERROR_STOP_ITERATION returned, > then the double free of subvol_path happens in the out goto label. > > Set subvol_path to NULL after each free() in the loop to fix the issue. > > Links: https://github.com/kdave/btrfs-progs/issues/317 > Signed-off-by: Su Yue <l@damenly.su> Thanks, added to devel.
diff --git a/cmds/subvolume.c b/cmds/subvolume.c index f153cfa9..a6771d10 100644 --- a/cmds/subvolume.c +++ b/cmds/subvolume.c @@ -1117,6 +1117,7 @@ static int cmd_subvol_show(const struct cmd_struct *cmd, int argc, char **argv) break; free(subvol_path); + subvol_path = NULL; } btrfs_util_destroy_subvolume_iterator(iter); } else {
User reported that `btrfs subvolume show -u -- /mnt` causes double free. Pointer subovl_path was freed in iterations but still keeps old value. In the last iteration, error BTRFS_UTIL_ERROR_STOP_ITERATION returned, then the double free of subvol_path happens in the out goto label. Set subvol_path to NULL after each free() in the loop to fix the issue. Links: https://github.com/kdave/btrfs-progs/issues/317 Signed-off-by: Su Yue <l@damenly.su> --- cmds/subvolume.c | 1 + 1 file changed, 1 insertion(+)