|
 |
f239de |
From b31f493cadc92023056a096d0281957c49fca22c Mon Sep 17 00:00:00 2001
|
|
|
f239de |
From: Theodore Ts'o <tytso@mit.edu>
|
|
|
f239de |
Date: Fri, 12 Feb 2021 21:43:00 -0500
|
|
|
f239de |
Subject: [PATCH 19/46] debugfs: fix memory allocation failures when parsing
|
|
|
f239de |
journal_write arguments
|
|
|
f239de |
Content-Type: text/plain
|
|
|
f239de |
|
|
|
f239de |
Fix double-free issues when parsing an invalid journal_write command,
|
|
|
f239de |
such as: "journal_write -b 12 -b BAD -b 42".
|
|
|
f239de |
|
|
|
f239de |
Addresses-Coverity-Bug: 1464571
|
|
|
f239de |
Addresses-Coverity-Bug: 1464575
|
|
|
f239de |
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
f239de |
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
|
|
|
f239de |
---
|
|
|
f239de |
debugfs/do_journal.c | 8 ++++++--
|
|
|
f239de |
debugfs/util.c | 15 +++++++--------
|
|
|
f239de |
2 files changed, 13 insertions(+), 10 deletions(-)
|
|
|
f239de |
|
|
|
f239de |
diff --git a/debugfs/do_journal.c b/debugfs/do_journal.c
|
|
|
f239de |
index 15ef6829..5091a530 100644
|
|
|
f239de |
--- a/debugfs/do_journal.c
|
|
|
f239de |
+++ b/debugfs/do_journal.c
|
|
|
f239de |
@@ -554,15 +554,19 @@ void do_journal_write(int argc, char *argv[], int sci_idx EXT2FS_ATTR((unused)),
|
|
|
f239de |
switch (opt) {
|
|
|
f239de |
case 'b':
|
|
|
f239de |
err = read_list(optarg, &blist, &bn);
|
|
|
f239de |
- if (err)
|
|
|
f239de |
+ if (err) {
|
|
|
f239de |
com_err(argv[0], err,
|
|
|
f239de |
"while reading block list");
|
|
|
f239de |
+ goto out;
|
|
|
f239de |
+ }
|
|
|
f239de |
break;
|
|
|
f239de |
case 'r':
|
|
|
f239de |
err = read_list(optarg, &rlist, &rn);
|
|
|
f239de |
- if (err)
|
|
|
f239de |
+ if (err) {
|
|
|
f239de |
com_err(argv[0], err,
|
|
|
f239de |
"while reading revoke list");
|
|
|
f239de |
+ goto out;
|
|
|
f239de |
+ }
|
|
|
f239de |
break;
|
|
|
f239de |
case 'c':
|
|
|
f239de |
flags |= JOURNAL_WRITE_NO_COMMIT;
|
|
|
f239de |
diff --git a/debugfs/util.c b/debugfs/util.c
|
|
|
f239de |
index 091f6f65..bbb20ff6 100644
|
|
|
f239de |
--- a/debugfs/util.c
|
|
|
f239de |
+++ b/debugfs/util.c
|
|
|
f239de |
@@ -521,7 +521,7 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
|
|
|
f239de |
blk64_t *lst = *list;
|
|
|
f239de |
size_t ln = *len;
|
|
|
f239de |
char *tok, *p = str;
|
|
|
f239de |
- errcode_t retval;
|
|
|
f239de |
+ errcode_t retval = 0;
|
|
|
f239de |
|
|
|
f239de |
while ((tok = strtok(p, ","))) {
|
|
|
f239de |
blk64_t *l;
|
|
|
f239de |
@@ -538,15 +538,17 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
|
|
|
f239de |
return errno;
|
|
|
f239de |
} else if (*e != 0) {
|
|
|
f239de |
retval = EINVAL;
|
|
|
f239de |
- goto err;
|
|
|
f239de |
+ break;
|
|
|
f239de |
}
|
|
|
f239de |
if (y < x) {
|
|
|
f239de |
retval = EINVAL;
|
|
|
f239de |
- goto err;
|
|
|
f239de |
+ break;
|
|
|
f239de |
}
|
|
|
f239de |
l = realloc(lst, sizeof(blk64_t) * (ln + y - x + 1));
|
|
|
f239de |
- if (l == NULL)
|
|
|
f239de |
- return ENOMEM;
|
|
|
f239de |
+ if (l == NULL) {
|
|
|
f239de |
+ retval = ENOMEM;
|
|
|
f239de |
+ break;
|
|
|
f239de |
+ }
|
|
|
f239de |
lst = l;
|
|
|
f239de |
for (; x <= y; x++)
|
|
|
f239de |
lst[ln++] = x;
|
|
|
f239de |
@@ -555,8 +557,5 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
|
|
|
f239de |
|
|
|
f239de |
*list = lst;
|
|
|
f239de |
*len = ln;
|
|
|
f239de |
- return 0;
|
|
|
f239de |
-err:
|
|
|
f239de |
- free(lst);
|
|
|
f239de |
return retval;
|
|
|
f239de |
}
|
|
|
f239de |
--
|
|
|
f239de |
2.35.1
|
|
|
f239de |
|