If we iterate the "goto again" loop, we've called "closedir(dirp)", yet at the top of the loop, upon malloc failure we "goto fail", where we test dirp and if non-NULL, call closedir(dirp) again. * utils.c (btrfs_scan_one_dir): Clear "dirp" after closedir to avoid use-after-free upon failed fullpath = malloc(... Signed-off-by: Jim Meyering <meyering@xxxxxxxxxx> --- Coverity reported this use-after-free. I chose to set dirp to NULL after each closedir(dirp). An alternative fix is to move the test for malloc failure "down" to after the test for opendir failure. utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/utils.c b/utils.c index ee7fa1b..7c8c9d3 100644 --- a/utils.c +++ b/utils.c @@ -1021,6 +1021,7 @@ again: list); list_del(&pending->list); closedir(dirp); + dirp = NULL; goto again; } ret = 0; -- 1.7.10.128.g7945c -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
