diff options
| author | Harald Hoyer <harald@redhat.com> | 2015-06-08 15:14:26 +0200 |
|---|---|---|
| committer | Harald Hoyer <harald@redhat.com> | 2015-06-08 15:14:26 +0200 |
| commit | 46be6129d3e52556eb0f2ae4d07818f9f3f7af7a (patch) | |
| tree | 6f1746f1cc448e97f729465ca9ff78b9599891fa /src/shared | |
| parent | 1472e6579944531908a21f850d2fabc99b8cc65d (diff) | |
util:bind_remount_recursive() fix "use after free"
set_consume(done, x) consumes x with free(x)
but
mount(…, x, …) uses it afterwards.
coverity CID 1299006
Diffstat (limited to 'src/shared')
| -rw-r--r-- | src/shared/util.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/src/shared/util.c b/src/shared/util.c index 311acbb349..1442301cd7 100644 --- a/src/shared/util.c +++ b/src/shared/util.c @@ -4931,11 +4931,15 @@ int bind_remount_recursive(const char *prefix, bool ro) { while ((x = set_steal_first(todo))) { - r = set_consume(done, x); - if (r == -EEXIST) + r = set_put(done, x); + if (r == -EEXIST) { + free(x); continue; - if (r < 0) + } + if (r < 0) { + free(x); return r; + } /* Try to reuse the original flag set, but * don't care for errors, in case of @@ -4945,14 +4949,15 @@ int bind_remount_recursive(const char *prefix, bool ro) { orig_flags &= ~MS_RDONLY; if (mount(NULL, x, NULL, orig_flags|MS_BIND|MS_REMOUNT|(ro ? MS_RDONLY : 0), NULL) < 0) { - /* Deal with mount points that are * obstructed by a later mount */ - if (errno != ENOENT) + if (errno != ENOENT) { + free(x); return -errno; + } } - + free(x); } } } |