diff options
author | Theodore Ts'o <tytso@mit.edu> | 2021-02-12 21:43:00 -0500 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2021-02-12 21:43:00 -0500 |
commit | 462c424500a592723887b861f857650523bab359 (patch) | |
tree | 39693af6cc3406db8641de7a9802254bb36bcc20 | |
parent | eef68a593f7f1a1c60be6da670cc3c7abb7d013a (diff) | |
download | e2fsprogs-462c424500a592723887b861f857650523bab359.tar.gz |
debugfs: fix memory allocation failures when parsing journal_write arguments
Fix double-free issues when parsing an invalid journal_write command,
such as: "journal_write -b 12 -b BAD -b 42".
Addresses-Coverity-Bug: 1464571
Addresses-Coverity-Bug: 1464575
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-rw-r--r-- | debugfs/do_journal.c | 8 | ||||
-rw-r--r-- | debugfs/util.c | 15 |
2 files changed, 13 insertions, 10 deletions
diff --git a/debugfs/do_journal.c b/debugfs/do_journal.c index c25e89467..a49bc369a 100644 --- a/debugfs/do_journal.c +++ b/debugfs/do_journal.c @@ -556,15 +556,19 @@ void do_journal_write(int argc, char *argv[], int sci_idx EXT2FS_ATTR((unused)), switch (opt) { case 'b': err = read_list(optarg, &blist, &bn); - if (err) + if (err) { com_err(argv[0], err, "while reading block list"); + goto out; + } break; case 'r': err = read_list(optarg, &rlist, &rn); - if (err) + if (err) { com_err(argv[0], err, "while reading revoke list"); + goto out; + } break; case 'c': flags |= JOURNAL_WRITE_NO_COMMIT; diff --git a/debugfs/util.c b/debugfs/util.c index fb05e897b..be6b550e4 100644 --- a/debugfs/util.c +++ b/debugfs/util.c @@ -521,7 +521,7 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len) blk64_t *lst = *list; size_t ln = *len; char *tok, *p = str; - errcode_t retval; + errcode_t retval = 0; while ((tok = strtok(p, ","))) { blk64_t *l; @@ -538,15 +538,17 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len) return errno; } else if (*e != 0) { retval = EINVAL; - goto err; + break; } if (y < x) { retval = EINVAL; - goto err; + break; } l = realloc(lst, sizeof(blk64_t) * (ln + y - x + 1)); - if (l == NULL) - return ENOMEM; + if (l == NULL) { + retval = ENOMEM; + break; + } lst = l; for (; x <= y; x++) lst[ln++] = x; @@ -555,9 +557,6 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len) *list = lst; *len = ln; - return 0; -err: - free(lst); return retval; } |