summaryrefslogtreecommitdiff
path: root/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
diff options
context:
space:
mode:
authorYufen Yu <yuyufen@huawei.com>2019-01-24 17:06:29 +0800
committerDavid Oberhollenzer <david.oberhollenzer@sigma-star.at>2019-02-11 04:58:33 +0100
commitf18e9636a26f39f6595ed365d31c01e876235b63 (patch)
tree35aefdce08d3d2733664462a40bab701d20492ea /ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
parent4a5a10a3dfe13d3f546ee4acbe2a96054ae423f7 (diff)
mtd-utils: fixes double free in mkfs.ubifs
In inode_add_xattr(), it malloc a buffer for name, and then passes the bufffer ptr to add_xattr(). The ptr will be used to create a new idx_entry in add_to_index(). However, inode_add_xattr() will free the buffer before return. which can cause double free in write_index(): free(idx_ptr[i]->name) *** Error in `./mkfs.ubifs': double free or corruption (fasttop): 0x0000000000aae220 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7cbac)[0x7f4881ff5bac] /lib64/libc.so.6(+0x87a59)[0x7f4882000a59] /lib64/libc.so.6(cfree+0x16e)[0x7f48820063be] ./mkfs.ubifs[0x402fbf] /lib64/libc.so.6(__libc_start_main+0xea)[0x7f4881f9988a] ./mkfs.ubifs[0x40356a] Signed-off-by: Yufen Yu <yuyufen@huawei.com> Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Diffstat (limited to 'ubifs-utils/mkfs.ubifs/mkfs.ubifs.c')
-rw-r--r--ubifs-utils/mkfs.ubifs/mkfs.ubifs.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
index 6e11ec8..e0c42f3 100644
--- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
+++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
@@ -1163,8 +1163,9 @@ static int add_xattr(struct ubifs_ino_node *host_ino, struct stat *st,
union ubifs_key xkey, nkey;
int len, ret;
- nm.name = name;
nm.len = strlen(name);
+ nm.name = xmalloc(nm.len + 1);
+ memcpy(nm.name, name, nm.len + 1);
host_ino->xattr_cnt++;
host_ino->xattr_size += CALC_DENT_SIZE(nm.len);