Fix: libfstree: double free in error path

If fstree_mknode fails, because the parent link count would overflow,
the function fails and cleans up behind it. The problem arises because
the function does this check *after* inserting the node in the parent
node, so it is later free'd again, when destroying the rest of the
tree.

This patch moves the insertion after the check to mitigate the problem.

Reported-by: Marvin Renich <mrvn@renich.org>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>

1 files changed, 4 insertions, 6 deletions

diff --git a/lib/fstree/mknode.c b/lib/fstree/mknode.c
index e0ab5b8..5a46a05 100644
--- a/lib/fstree/mknode.c
+++ b/lib/fstree/mknode.c
@@ -33,12 +33,6 @@ tree_node_t *fstree_mknode(tree_node_t *parent, const char *name,
 	if (n == NULL)
 		return NULL;
 
-	if (parent != NULL) {
-		n->next = parent->data.dir.children;
-		parent->data.dir.children = n;
-		n->parent = parent;
-	}
-
 	n->xattr_idx = 0xFFFFFFFF;
 	n->uid = sb->st_uid;
 	n->gid = sb->st_gid;
@@ -81,6 +75,10 @@ tree_node_t *fstree_mknode(tree_node_t *parent, const char *name,
 			return NULL;
 		}
 
+		n->next = parent->data.dir.children;
+		parent->data.dir.children = n;
+		n->parent = parent;
+
 		parent->link_count++;
 	}