[PATCH] fs/sqaushfs: avoid illegal free() in sqfs_opendir()
João Marcos Costa
jmcosta944 at gmail.com
Mon Apr 14 14:54:29 CEST 2025
Hello, Heinrich
Em sex., 11 de abr. de 2025 às 09:19, Heinrich Schuchardt <
heinrich.schuchardt at canonical.com> escreveu:
> * Use calloc() to allocate token_list. This avoids an illegal free if
> sqfs_tokenize() fails.
> * Do not iterate over token_list if it has not been allocated.
>
> Addresses-Coverity-ID: 510453: Null pointer dereferences (FORWARD_NULL)
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
> ---
> fs/squashfs/sqfs.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
> index 7c364686f14..2dcdd60f683 100644
> --- a/fs/squashfs/sqfs.c
> +++ b/fs/squashfs/sqfs.c
> @@ -949,7 +949,7 @@ static int sqfs_opendir_nest(const char *filename,
> struct fs_dir_stream **dirsp)
> goto out;
> }
>
> - token_list = malloc(token_count * sizeof(char *));
> + token_list = calloc(token_count, sizeof(char *));
> if (!token_list) {
> ret = -EINVAL;
> goto out;
> @@ -987,9 +987,11 @@ static int sqfs_opendir_nest(const char *filename,
> struct fs_dir_stream **dirsp)
> *dirsp = (struct fs_dir_stream *)dirs;
>
> out:
> - for (j = 0; j < token_count; j++)
> - free(token_list[j]);
> - free(token_list);
> + if (token_list) {
> + for (j = 0; j < token_count; j++)
> + free(token_list[j]);
> + free(token_list);
> + }
> free(pos_list);
> free(path);
> if (ret) {
> --
> 2.48.1
>
>
Thanks for your patch. Just a nit, though: there's a typo in the patch
title ('sqaushfs').
Reviewed-by: Joao Marcos Costa <jmcosta944 at gmail.com>
--
Best regards,
João Marcos Costa
More information about the U-Boot
mailing list