From 46be6129d3e52556eb0f2ae4d07818f9f3f7af7a Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Mon, 8 Jun 2015 15:14:26 +0200
Subject: util:bind_remount_recursive() fix "use after free"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

set_consume(done, x) consumes x with free(x)
but
mount(…, x, …) uses it afterwards.

coverity CID 1299006
---
 src/shared/util.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

(limited to 'src/shared')

diff --git a/src/shared/util.c b/src/shared/util.c
index 311acbb349..1442301cd7 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -4931,11 +4931,15 @@ int bind_remount_recursive(const char *prefix, bool ro) {
 
                 while ((x = set_steal_first(todo))) {
 
-                        r = set_consume(done, x);
-                        if (r == -EEXIST)
+                        r = set_put(done, x);
+                        if (r == -EEXIST) {
+                                free(x);
                                 continue;
-                        if (r < 0)
+                        }
+                        if (r < 0) {
+                                free(x);
                                 return r;
+                        }
 
                         /* Try to reuse the original flag set, but
                          * don't care for errors, in case of
@@ -4945,14 +4949,15 @@ int bind_remount_recursive(const char *prefix, bool ro) {
                         orig_flags &= ~MS_RDONLY;
 
                         if (mount(NULL, x, NULL, orig_flags|MS_BIND|MS_REMOUNT|(ro ? MS_RDONLY : 0), NULL) < 0) {
-
                                 /* Deal with mount points that are
                                  * obstructed by a later mount */
 
-                                if (errno != ENOENT)
+                                if (errno != ENOENT) {
+                                        free(x);
                                         return -errno;
+                                }
                         }
-
+                        free(x);
                 }
         }
 }
-- 
cgit v1.2.3-54-g00ecf