diff options
author | Yufen Yu <yuyufen@huawei.com> | 2019-01-24 17:06:29 +0800 |
---|---|---|
committer | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2019-02-11 04:58:33 +0100 |
commit | f18e9636a26f39f6595ed365d31c01e876235b63 (patch) | |
tree | 35aefdce08d3d2733664462a40bab701d20492ea /ubifs-utils | |
parent | 4a5a10a3dfe13d3f546ee4acbe2a96054ae423f7 (diff) |
mtd-utils: fixes double free in mkfs.ubifs
In inode_add_xattr(), it malloc a buffer for name, and then passes
the bufffer ptr to add_xattr(). The ptr will be used to create a new
idx_entry in add_to_index().
However, inode_add_xattr() will free the buffer before return.
which can cause double free in write_index(): free(idx_ptr[i]->name)
*** Error in `./mkfs.ubifs': double free or corruption (fasttop): 0x0000000000aae220 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7cbac)[0x7f4881ff5bac]
/lib64/libc.so.6(+0x87a59)[0x7f4882000a59]
/lib64/libc.so.6(cfree+0x16e)[0x7f48820063be]
./mkfs.ubifs[0x402fbf]
/lib64/libc.so.6(__libc_start_main+0xea)[0x7f4881f9988a]
./mkfs.ubifs[0x40356a]
Signed-off-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Diffstat (limited to 'ubifs-utils')
-rw-r--r-- | ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c index 6e11ec8..e0c42f3 100644 --- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c +++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c @@ -1163,8 +1163,9 @@ static int add_xattr(struct ubifs_ino_node *host_ino, struct stat *st, union ubifs_key xkey, nkey; int len, ret; - nm.name = name; nm.len = strlen(name); + nm.name = xmalloc(nm.len + 1); + memcpy(nm.name, name, nm.len + 1); host_ino->xattr_cnt++; host_ino->xattr_size += CALC_DENT_SIZE(nm.len); |