Skip to content

Commit

Permalink
test/autofs: fix use-after-free
Browse files Browse the repository at this point in the history
autofs.c:66:17: error: pointer 'str' may be used after 'realloc' [-Werror=use-after-free]

autofs.c: In function 'check_automount':
../lib/zdtmtst.h:131:9: error: pointer 'mountpoint' may be used after 'free' [-Werror=use-after-free]
  131 |         test_msg("ERR: %s:%d: " format " (errno = %d (%s))\n", __FILE__, __LINE__, ##arg, errno, strerror(errno))
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
autofs.c:277:17: note: in expansion of macro 'pr_perror'
  277 |                 pr_perror("%s: failed to close fd %d", mountpoint, p->fd);
      |                 ^~~~~~~~~
autofs.c:268:9: note: call to 'free' here
  268 |         free(mountpoint);
      |         ^~~~~~~~~~~~~~~~

Fixes: checkpoint-restore#1731

v2: (@Snorch) always update `str` after successful realloc()

Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
  • Loading branch information
rst0git authored and Yangfisher1 committed Feb 8, 2022
1 parent 413c92b commit 333e3c9
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions test/zdtm/static/autofs.c
Original file line number Diff line number Diff line change
Expand Up @@ -47,14 +47,14 @@ static char *xvstrcat(char *str, const char *fmt, va_list args)
ret = -ENOMEM;
new = realloc(str, offset + delta);
if (new) {
str = new;
va_copy(tmp, args);
ret = vsnprintf(new + offset, delta, fmt, tmp);
va_end(tmp);
if (ret >= delta) {
/* NOTE: vsnprintf returns the amount of bytes
* * to allocate. */
delta = ret + 1;
str = new;
ret = 0;
}
}
Expand Down Expand Up @@ -266,6 +266,7 @@ static int check_automount(struct autofs_params *p)
return err;

free(mountpoint);
mountpoint = NULL;

err = p->setup(p);
if (err) {
Expand All @@ -274,7 +275,7 @@ static int check_automount(struct autofs_params *p)
}

if (close(p->fd)) {
pr_perror("%s: failed to close fd %d", mountpoint, p->fd);
pr_perror("mountpoint failed to close fd %d", p->fd);
return -errno;
}

Expand Down

0 comments on commit 333e3c9

Please sign in to comment.