Overview

File 0014-Fix-double-free-in-list_subsys.patch of Package nvme-cli.7759

From 2a14a0c88e683685598f30c433517d2acbadec62 Mon Sep 17 00:00:00 2001
From: Vijay Kumar <vijay.ac.kumar@oracle.com>
Date: Tue, 6 Mar 2018 19:45:34 -0600
Subject: [PATCH] Fix double free in list_subsys

get_nvme_subsystem_info() deallocates subsys_list_item in case of error.
This hits double free when list_subsys() as well attempts to free it.
Removed deallocation of subsys_list_item from get_nvme_subsystem_info().

Signed-off-by: Vijay Kumar <vijay.ac.kumar@oracle.com>
---
 nvme.c | 33 +++++++++------------------------
 1 file changed, 9 insertions(+), 24 deletions(-)

diff --git a/nvme.c b/nvme.c
index 8f26aed..edcdf2d 100644
--- a/nvme.c
+++ b/nvme.c
@@ -1097,17 +1097,17 @@ int get_nvme_subsystem_info(char *name, char *path,
 {
 	char ctrl_path[512];
 	struct dirent **ctrls;
-	int n, i;
+	int n, i, ret = 1;
 
 	item->subsysnqn = get_nvme_subsnqn(path);
 	if (!item->subsysnqn)
-		return 1;
+		return ret;
 
 	item->name = strdup(name);
 
 	n = scandir(path, &ctrls, scan_ctrls_filter, alphasort);
 	if (n < 0)
-		goto free_subysynqn;
+		return ret;
 
 	item->ctrls = calloc(n, sizeof(struct ctrl_list_item));
 	if (!item->ctrls)
@@ -1122,38 +1122,23 @@ int get_nvme_subsystem_info(char *name, char *path,
 			 item->ctrls[i].name);
 
 		item->ctrls[i].address = get_nvme_ctrl_address(ctrl_path);
-		if (!item->ctrls[i].address) {
-			free(item->ctrls[i].name);
-			goto free_ctrl_list;
-		}
+		if (!item->ctrls[i].address)
+			goto free_ctrls;
 
 		item->ctrls[i].transport = get_nvme_ctrl_transport(ctrl_path);
-		if (!item->ctrls[i].transport) {
-			free(item->ctrls[i].name);
-			free(item->ctrls[i].address);
-			goto free_ctrl_list;
-		}
+		if (!item->ctrls[i].transport)
+			goto free_ctrls;
 	}
 
-	for (i = 0; i < n; i++)
-		free(ctrls[i]);
-	free(ctrls);
-
-	return 0;
-
-free_ctrl_list:
-	free(item->ctrls);
+	ret = 0;
 
 free_ctrls:
 	for (i = 0; i < n; i++)
 		free(ctrls[i]);
 	free(ctrls);
 
-free_subysynqn:
-	free(item->subsysnqn);
-	free(item->name);
+	return ret;
 
-	return 1;
 }
 
 static int scan_subsys_filter(const struct dirent *d)
-- 
2.13.7
openSUSE Build Service is sponsored by
Places