[U-Boot] Possible bug in UBIFS function ubifs_finddir

Rod Boyce uboot at teamboyce.co.uk
Thu Jun 16 13:13:28 CEST 2011


All,

Hello again it has been a while since I was here.
I am working on u-boot once again and think I may have found a bug in the
UBIFS sub-system.

The function is ubifs_finddir and the issue is that there seems to be a
free of a pointer in a structure that has already been freed.  This is
causing the free function to rightly crash.

The code is in the error path of the ubifs_finddir at the end of the
function line 363:

	if (file)
		free(file);
	if (dentry)
		free(dentry);
	if (dir)
		free(dir);

	if (file->private_data)
		kfree(file->private_data);
	file->private_data = NULL;
	file->f_pos = 2;

The issue is that we are free'ing the file pointer at the top of this
block and then trying to free the private_data element after the base
pointer.  I will fix and send a patch but before I do I just wanted to
make sure I was not missing the obvious.
Has this been discussed before and is there already a patch?

Regards,
Rod Boyce



More information about the U-Boot mailing list