Blame SOURCES/e2fsprogs-1.45.6-debugfs-fix-memory-allocation-failures-when-parsing-.patch

a77133
From b31f493cadc92023056a096d0281957c49fca22c Mon Sep 17 00:00:00 2001
a77133
From: Theodore Ts'o <tytso@mit.edu>
a77133
Date: Fri, 12 Feb 2021 21:43:00 -0500
a77133
Subject: [PATCH 19/46] debugfs: fix memory allocation failures when parsing
a77133
 journal_write arguments
a77133
Content-Type: text/plain
a77133
a77133
Fix double-free issues when parsing an invalid journal_write command,
a77133
such as: "journal_write -b 12 -b BAD -b 42".
a77133
a77133
Addresses-Coverity-Bug: 1464571
a77133
Addresses-Coverity-Bug: 1464575
a77133
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
a77133
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
a77133
---
a77133
 debugfs/do_journal.c |  8 ++++++--
a77133
 debugfs/util.c       | 15 +++++++--------
a77133
 2 files changed, 13 insertions(+), 10 deletions(-)
a77133
a77133
diff --git a/debugfs/do_journal.c b/debugfs/do_journal.c
a77133
index 15ef6829..5091a530 100644
a77133
--- a/debugfs/do_journal.c
a77133
+++ b/debugfs/do_journal.c
a77133
@@ -554,15 +554,19 @@ void do_journal_write(int argc, char *argv[], int sci_idx EXT2FS_ATTR((unused)),
a77133
 		switch (opt) {
a77133
 		case 'b':
a77133
 			err = read_list(optarg, &blist, &bn);
a77133
-			if (err)
a77133
+			if (err) {
a77133
 				com_err(argv[0], err,
a77133
 					"while reading block list");
a77133
+				goto out;
a77133
+			}
a77133
 			break;
a77133
 		case 'r':
a77133
 			err = read_list(optarg, &rlist, &rn);
a77133
-			if (err)
a77133
+			if (err) {
a77133
 				com_err(argv[0], err,
a77133
 					"while reading revoke list");
a77133
+				goto out;
a77133
+			}
a77133
 			break;
a77133
 		case 'c':
a77133
 			flags |= JOURNAL_WRITE_NO_COMMIT;
a77133
diff --git a/debugfs/util.c b/debugfs/util.c
a77133
index 091f6f65..bbb20ff6 100644
a77133
--- a/debugfs/util.c
a77133
+++ b/debugfs/util.c
a77133
@@ -521,7 +521,7 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
a77133
 	blk64_t *lst = *list;
a77133
 	size_t ln = *len;
a77133
 	char *tok, *p = str;
a77133
-	errcode_t retval;
a77133
+	errcode_t retval = 0;
a77133
 
a77133
 	while ((tok = strtok(p, ","))) {
a77133
 		blk64_t *l;
a77133
@@ -538,15 +538,17 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
a77133
 				return errno;
a77133
 		} else if (*e != 0) {
a77133
 			retval = EINVAL;
a77133
-			goto err;
a77133
+			break;
a77133
 		}
a77133
 		if (y < x) {
a77133
 			retval = EINVAL;
a77133
-			goto err;
a77133
+			break;
a77133
 		}
a77133
 		l = realloc(lst, sizeof(blk64_t) * (ln + y - x + 1));
a77133
-		if (l == NULL)
a77133
-			return ENOMEM;
a77133
+		if (l == NULL) {
a77133
+			retval = ENOMEM;
a77133
+			break;
a77133
+		}
a77133
 		lst = l;
a77133
 		for (; x <= y; x++)
a77133
 			lst[ln++] = x;
a77133
@@ -555,8 +557,5 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
a77133
 
a77133
 	*list = lst;
a77133
 	*len = ln;
a77133
-	return 0;
a77133
-err:
a77133
-	free(lst);
a77133
 	return retval;
a77133
 }
a77133
-- 
a77133
2.35.1
a77133