[PATCH v2 19/28] fs/squashfs: sqfs_get_abs_path: fix possible memory leak on error

João Marcos Costa jmcosta944 at gmail.com
Tue Nov 3 13:44:47 CET 2020 

Reviewed-by Joao Marcos Costa <jmcosta944 at gmail.com>

Em ter., 3 de nov. de 2020 às 08:12, Richard Genoud <
richard.genoud at posteo.net> escreveu:

> if  sqfs_tokenize(rel_tokens, rc, rel); fails, the function exits
> without freeing the array base_tokens.
>
> Signed-off-by: Richard Genoud <richard.genoud at posteo.net>
> ---
>  fs/squashfs/sqfs.c | 32 ++++++++++++++++++--------------
>  1 file changed, 18 insertions(+), 14 deletions(-)
>
> diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
> index 825d5d13fa2..f41deece0ae 100644
> --- a/fs/squashfs/sqfs.c
> +++ b/fs/squashfs/sqfs.c
> @@ -340,28 +340,31 @@ static char *sqfs_get_abs_path(const char *base,
> const char *rel)
>         char **base_tokens, **rel_tokens, *resolved = NULL;
>         int ret, bc, rc, i, updir = 0, resolved_size = 0, offset = 0;
>
> +       base_tokens = NULL;
> +       rel_tokens = NULL;
> +
>         /* Memory allocation for the token lists */
>         bc = sqfs_count_tokens(base);
>         rc = sqfs_count_tokens(rel);
>         if (bc < 1 || rc < 1)
>                 return NULL;
>
> -       base_tokens = malloc(bc * sizeof(char *));
> +       base_tokens = calloc(bc, sizeof(char *));
>         if (!base_tokens)
>                 return NULL;
>
> -       rel_tokens = malloc(rc * sizeof(char *));
> +       rel_tokens = calloc(rc, sizeof(char *));
>         if (!rel_tokens)
> -               goto free_b_tokens;
> +               goto out;
>
>         /* Fill token lists */
>         ret = sqfs_tokenize(base_tokens, bc, base);
>         if (ret)
> -               goto free_r_tokens;
> +               goto out;
>
>         ret = sqfs_tokenize(rel_tokens, rc, rel);
>         if (ret)
> -               goto free_r_tokens;
> +               goto out;
>
>         /* count '..' occurrences in target path */
>         for (i = 0; i < rc; i++) {
> @@ -372,7 +375,7 @@ static char *sqfs_get_abs_path(const char *base, const
> char *rel)
>         /* Remove the last token and the '..' occurrences */
>         bc = sqfs_clean_base_path(base_tokens, bc, updir);
>         if (bc < 0)
> -               goto free_r_tokens;
> +               goto out;
>
>         /* Calculate resolved path size */
>         if (!bc)
> @@ -383,7 +386,7 @@ static char *sqfs_get_abs_path(const char *base, const
> char *rel)
>
>         resolved = malloc(resolved_size + 1);
>         if (!resolved)
> -               goto free_r_tokens_loop;
> +               goto out;
>
>         /* Set resolved path */
>         memset(resolved, '\0', resolved_size + 1);
> @@ -391,14 +394,15 @@ static char *sqfs_get_abs_path(const char *base,
> const char *rel)
>         resolved[offset++] = '/';
>         offset += sqfs_join(rel_tokens, resolved + offset, updir, rc, '/');
>
> -free_r_tokens_loop:
> -       for (i = 0; i < rc; i++)
> -               free(rel_tokens[i]);
> -       for (i = 0; i < bc; i++)
> -               free(base_tokens[i]);
> -free_r_tokens:
> +out:
> +       if (rel_tokens)
> +               for (i = 0; i < rc; i++)
> +                       free(rel_tokens[i]);
> +       if (base_tokens)
> +               for (i = 0; i < bc; i++)
> +                       free(base_tokens[i]);
> +
>         free(rel_tokens);
> -free_b_tokens:
>         free(base_tokens);
>
>         return resolved;
>


-- 
Atenciosamente,
João Marcos Costa

www.linkedin.com/in/jmarcoscosta/
https://github.com/jmarcoscosta

More information about the U-Boot mailing list